maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Detection Rules] Add 7.14 rules (#103730)

Browse source
This commit is contained in:
Justin Ibarra 2021-06-29 16:24:35 -08:00 committed by GitHub
parent e7e1e3c1f9
commit 26407550da
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 693 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json
View file

@ -1,6 +1,8 @@
{
"author": [
"Elastic"
"Elastic",
"Willem D'Haese",
"Austin Songer"
],
"description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
"false_positives": [
@ -15,7 +17,10 @@
"license": "Elastic License v2",
"name": "Attempts to Brute Force a Microsoft 365 User Account",
"note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\") and event.outcome:failure\n",
"query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:failure\n",
"references": [
"https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"
],
"risk_score": 73,
"rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
"severity": "high",
@ -51,5 +56,5 @@
"value": 10
},
"type": "threshold",
"version": 4
"version": 5
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json
View file

@ -15,7 +15,7 @@
"license": "Elastic License v2",
"name": "Potential Password Spraying of Microsoft 365 User Accounts",
"note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure\n",
"query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\") and event.outcome:failure\n",
"risk_score": 73,
"rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
"severity": "high",
@ -51,5 +51,5 @@
"value": 25
},
"type": "threshold",
"version": 3
"version": 4
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_execution_via_apple_scripting.json
View file

@ -11,7 +11,7 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Shell Execution via Apple Scripting",
"query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.ppid\n",
"query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n",
"references": [
"https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"
@ -44,5 +44,5 @@
}
],
"type": "eql",
"version": 2
"version": 3
}

71
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_full_network_packet_capture_detected.json Normal file
View file

@ -0,0 +1,71 @@
{
"author": [
"Elastic",
"Austin Songer"
],
"description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.",
"false_positives": [
"Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS EC2 Full Network Packet Capture Detected",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and \nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and \nevent.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
"https://github.com/easttimor/aws-incident-response"
],
"risk_score": 47,
"rule_id": "c1812764-0788-470f-8e74-eb4a14d47573",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Network Security"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
},
"technique": [
{
"id": "T1020",
"name": "Automated Exfiltration",
"reference": "https://attack.mitre.org/techniques/T1020/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1074",
"name": "Data Staged",
"reference": "https://attack.mitre.org/techniques/T1074/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.",
"false_positives": [
"Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS RDS Snapshot Export",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"
],
"risk_score": 21,
"rule_id": "119c8877-8613-416d-a98a-96b6664ee73a5",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Asset Visibility"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
},
"technique": []
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

55
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_service_principal_credentials_added.json Normal file
View file

@ -0,0 +1,55 @@
{
"author": [
"Elastic",
"Austin Songer"
],
"description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.",
"false_positives": [
"Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-25m",
"index": [
"filebeat-*",
"logs-azure*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "Azure Service Principal Credentials Added",
"note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials.\" and event.outcome:(success or Success)\n",
"references": [
"https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"
],
"risk_score": 47,
"rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0040",
"name": "Impact",
"reference": "https://attack.mitre.org/tactics/TA0040/"
},
"technique": [
{
"id": "T1496",
"name": "Resource Hijacking",
"reference": "https://attack.mitre.org/techniques/T1496/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

55
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_group_deletion.json Normal file
View file

@ -0,0 +1,55 @@
{
"author": [
"Elastic",
"Austin Songer"
],
"description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security Group.",
"false_positives": [
"A RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS RDS Security Group Deletion",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"
],
"risk_score": 21,
"rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Monitoring"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0040",
"name": "Impact",
"reference": "https://attack.mitre.org/tactics/TA0040/"
},
"technique": [
{
"id": "T1531",
"name": "Account Access Removal",
"reference": "https://attack.mitre.org/techniques/T1531/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

36
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file

@ -545,10 +545,24 @@ import rule532 from './command_and_control_tunneling_via_earthworm.json';
import rule533 from './lateral_movement_evasion_rdp_shadowing.json';
import rule534 from './threat_intel_module_match.json';
import rule535 from './exfiltration_ec2_vm_export_failure.json';
import rule536 from './defense_evasion_suspicious_execution_from_mounted_device.json';
import rule537 from './defense_evasion_unusual_network_connection_via_dllhost.json';
import rule538 from './defense_evasion_amsienable_key_mod.json';
import rule539 from './persistence_via_bits_job_notify_command.json';
import rule536 from './exfiltration_ec2_full_network_packet_capture_detected.json';
import rule537 from './impact_azure_service_principal_credentials_added.json';
import rule538 from './persistence_route_53_domain_transfer_lock_disabled.json';
import rule539 from './persistence_route_53_domain_transferred_to_another_account.json';
import rule540 from './defense_evasion_suspicious_execution_from_mounted_device.json';
import rule541 from './defense_evasion_unusual_network_connection_via_dllhost.json';
import rule542 from './defense_evasion_amsienable_key_mod.json';
import rule543 from './impact_rds_group_deletion.json';
import rule544 from './persistence_rds_group_creation.json';
import rule545 from './exfiltration_rds_snapshot_export.json';
import rule546 from './persistence_rds_instance_creation.json';
import rule547 from './ml_auth_rare_hour_for_a_user_to_logon.json';
import rule548 from './ml_auth_rare_source_ip_for_a_user.json';
import rule549 from './ml_auth_rare_user_logon.json';
import rule550 from './ml_auth_spike_in_failed_logon_events.json';
import rule551 from './ml_auth_spike_in_logon_events.json';
import rule552 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
import rule553 from './persistence_via_bits_job_notify_command.json';
export const rawRules = [
rule1,
@ -1090,4 +1104,18 @@ export const rawRules = [
rule537,
rule538,
rule539,
rule540,
rule541,
rule542,
rule543,
rule544,
rule545,
rule546,
rule547,
rule548,
rule549,
rule550,
rule551,
rule552,
rule553,
];

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json
View file

@ -12,7 +12,10 @@
"language": "kuery",
"license": "Elastic License v2",
"name": "SMB (Windows File Sharing) Activity to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n",
"references": [
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
],
"risk_score": 73,
"rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
"severity": "high",
@ -57,5 +60,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 8
"version": 9
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_hour_for_a_user_to_logon.json Normal file
View file

@ -0,0 +1,29 @@
{
"anomaly_threshold": 75,
"author": [
"Elastic"
],
"description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
"false_positives": [
"Users working late, or logging in from unusual time zones while traveling, may trigger this rule."
],
"from": "now-30m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "auth_rare_hour_for_a_user",
"name": "Unusual Hour for a User to Logon",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d",
"severity": "low",
"tags": [
"Elastic",
"Authentication",
"Threat Detection",
"ML"
],
"type": "machine_learning",
"version": 1
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_source_ip_for_a_user.json Normal file
View file

@ -0,0 +1,29 @@
{
"anomaly_threshold": 75,
"author": [
"Elastic"
],
"description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
"false_positives": [
"Business travelers who roam to new locations may trigger this alert."
],
"from": "now-30m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "auth_rare_source_ip_for_a_user",
"name": "Unusual Source IP for a User to Logon from",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b",
"severity": "low",
"tags": [
"Elastic",
"Authentication",
"Threat Detection",
"ML"
],
"type": "machine_learning",
"version": 1
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_user_logon.json Normal file
View file

@ -0,0 +1,29 @@
{
"anomaly_threshold": 75,
"author": [
"Elastic"
],
"description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
"false_positives": [
"User accounts that are rarely active, such as an SRE or developer logging into a prod server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."
],
"from": "now-30m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "auth_rare_user",
"name": "Rare User Logon",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a",
"severity": "low",
"tags": [
"Elastic",
"Authentication",
"Threat Detection",
"ML"
],
"type": "machine_learning",
"version": 1
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_failed_logon_events.json Normal file
View file

@ -0,0 +1,29 @@
{
"anomaly_threshold": 75,
"author": [
"Elastic"
],
"description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
"false_positives": [
"A misconfigured service account can trigger this alert. A password change on ana account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
],
"from": "now-30m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "auth_high_count_logon_fails",
"name": "Spike in Failed Logon Events",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c",
"severity": "low",
"tags": [
"Elastic",
"Authentication",
"Threat Detection",
"ML"
],
"type": "machine_learning",
"version": 1
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events.json Normal file
View file

@ -0,0 +1,29 @@
{
"anomaly_threshold": 75,
"author": [
"Elastic"
],
"description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.",
"false_positives": [
"Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
],
"from": "now-30m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "auth_high_count_logon_events",
"name": "Spike in Logon Events",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9",
"severity": "low",
"tags": [
"Elastic",
"Authentication",
"Threat Detection",
"ML"
],
"type": "machine_learning",
"version": 1
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events_from_a_source_ip.json Normal file
View file

@ -0,0 +1,29 @@
{
"anomaly_threshold": 75,
"author": [
"Elastic"
],
"description": "A machine learning job found an unusually large spike in successful authentication events events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.",
"false_positives": [
"Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
],
"from": "now-30m",
"interval": "15m",
"license": "Elastic License v2",
"machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip",
"name": "Spike in Logon Events from a Source IP",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd",
"severity": "low",
"tags": [
"Elastic",
"Authentication",
"Threat Detection",
"ML"
],
"type": "machine_learning",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_folder_action_scripts_runtime.json
View file

@ -11,7 +11,7 @@
"language": "eql",
"license": "Elastic License v2",
"name": "Persistence via Folder Action Script",
"query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.ppid\n",
"query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"sh\")] by process.parent.pid\n",
"references": [
"https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"
],
@ -59,5 +59,5 @@
}
],
"type": "eql",
"version": 2
"version": 3
}

62
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_group_creation.json Normal file
View file

@ -0,0 +1,62 @@
{
"author": [
"Elastic",
"Austin Songer"
],
"description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security Group.",
"false_positives": [
"A RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS RDS Security Group Creation",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"
],
"risk_score": 21,
"rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Monitoring"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1136",
"name": "Create Account",
"reference": "https://attack.mitre.org/techniques/T1136/",
"subtechnique": [
{
"id": "T1136.003",
"name": "Cloud Account",
"reference": "https://attack.mitre.org/techniques/T1136/003/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_instance_creation.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.",
"false_positives": [
"A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS RDS Instance Creation",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"
],
"risk_score": 21,
"rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Asset Visibility"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": []
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

65
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transfer_lock_disabled.json Normal file
View file

@ -0,0 +1,65 @@
{
"author": [
"Elastic",
"Austin Songer"
],
"description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.",
"false_positives": [
"A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS Route 53 Domain Transfer Lock Disabled",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"
],
"risk_score": 21,
"rule_id": "12051077-0124-4394-9522-8f4f4db1d674",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Asset Visibility"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1098",
"name": "Account Manipulation",
"reference": "https://attack.mitre.org/techniques/T1098/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": []
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}

64
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transferred_to_another_account.json Normal file
View file

@ -0,0 +1,64 @@
{
"author": [
"Elastic",
"Austin Songer"
],
"description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.",
"false_positives": [
"A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-60m",
"index": [
"filebeat-*",
"logs-aws*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License v2",
"name": "AWS Route 53 Domain Transferred to Another Account",
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n",
"references": [
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
],
"risk_score": 21,
"rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"AWS",
"Continuous Monitoring",
"SecOps",
"Asset Visibility"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1098",
"name": "Account Manipulation",
"reference": "https://attack.mitre.org/techniques/T1098/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": []
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
}