maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Detection Rules] Add 7.11 rules (#85506)

Browse source
This commit is contained in:
Justin Ibarra 2020-12-11 07:45:44 +01:00 committed by GitHub
parent 28738e6b4b
commit e5c7134925
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
203 changed files with 6911 additions and 437 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json Normal file
View file

@ -0,0 +1,35 @@
{
"author": [
"Elastic"
],
"description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.",
"false_positives": [
"Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-130m",
"index": [
"filebeat-*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License",
"name": "Application Added to Google Workspace Domain",
"note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
"query": "event.dataset:gsuite.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
"references": [
"https://support.google.com/a/answer/6328701?hl=en#"
],
"risk_score": 47,
"rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Google Workspace",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"type": "query",
"version": 1
}

36
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json Normal file
View file

@ -0,0 +1,36 @@
{
"author": [
"Elastic"
],
"description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
"false_positives": [
"Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."
],
"index": [
"filebeat-*",
"logs-okta*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Attempt to Deactivate an Okta Network Zone",
"note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:okta.system and event.action:zone.deactivate",
"references": [
"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/"
],
"risk_score": 47,
"rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1",
"severity": "medium",
"tags": [
"Elastic",
"Identity",
"Okta",
"Continuous Monitoring",
"SecOps",
"Network Security"
],
"type": "query",
"version": 1
}

36
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json Normal file
View file

@ -0,0 +1,36 @@
{
"author": [
"Elastic"
],
"description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
"false_positives": [
"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."
],
"index": [
"filebeat-*",
"logs-okta*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Attempt to Delete an Okta Network Zone",
"note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:okta.system and event.action:zone.delete",
"references": [
"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/"
],
"risk_score": 47,
"rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad",
"severity": "medium",
"tags": [
"Elastic",
"Identity",
"Okta",
"Continuous Monitoring",
"SecOps",
"Network Security"
],
"type": "query",
"version": 1
}

58
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json Normal file
View file

@ -0,0 +1,58 @@
{
"author": [
"Elastic"
],
"description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.",
"index": [
"filebeat-*",
"packetbeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Default Cobalt Strike Team Server Certificate",
"note": "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.",
"query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
"references": [
"https://attack.mitre.org/software/S0154/",
"https://www.cobaltstrike.com/help-setup-collaboration",
"https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
"https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
"https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html"
],
"risk_score": 100,
"rule_id": "e7075e8d-a966-458e-a183-85cd331af255",
"severity": "critical",
"tags": [
"Command and Control",
"Post-Execution",
"Threat Detection, Prevention and Hunting",
"Elastic",
"Network"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.001",
"name": "Web Protocols",
"reference": "https://attack.mitre.org/techniques/T1071/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Connection to Commonly Abused Web Services",
"query": "network where network.protocol == \"dns\" and\n /* Add new WebSvc domains here */\n wildcard(dns.question.name, \"*.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\"\n ) and\n /* Insert noisy false positives here */\n not process.name in (\"MicrosoftEdgeCP.exe\",\n \"MicrosoftEdge.exe\",\n \"iexplore.exe\",\n \"chrome.exe\",\n \"msedge.exe\",\n \"opera.exe\",\n \"firefox.exe\",\n \"Dropbox.exe\",\n \"slack.exe\",\n \"svchost.exe\",\n \"thunderbird.exe\",\n \"outlook.exe\",\n \"OneDrive.exe\")\n",
"risk_score": 21,
"rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1102",
"name": "Web Service",
"reference": "https://attack.mitre.org/techniques/T1102/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json
View file

@ -13,7 +13,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "DNS Activity to the Internet",
"query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
"query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
"references": [
"https://www.us-cert.gov/ncas/alerts/TA15-240A",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
@ -45,5 +45,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

51
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json Normal file
View file

@ -0,0 +1,51 @@
{
"author": [
"Elastic"
],
"description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Potential DNS Tunneling via NsLookup",
"query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)",
"references": [
"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
],
"risk_score": 47,
"rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
}
]
}
],
"threshold": {
"field": "host.id",
"value": 15
},
"type": "threshold",
"version": 1
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Connection to Commonly Abused Free SSL Certificate Providers",
"query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n \n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n \n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n",
"risk_score": 21,
"rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1573",
"name": "Encrypted Channel",
"reference": "https://attack.mitre.org/techniques/T1573/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "FTP (File Transfer Protocol) Activity to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 21,
"rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43",
"severity": "low",
@ -58,5 +58,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Potential Command and Control via Internet Explorer",
"query": "sequence by host.id, process.entity_id with maxspan = 1s\n [process where event.type:\"start\" and process.parent.name:\"iexplore.exe\" and process.parent.args:\"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol : \"dns\" and process.name:\"iexplore.exe\" and\n not wildcard(dns.question.name, \"*.microsoft.com\", \n \"*.digicert.com\", \n \"*.msocsp.com\", \n \"*.windowsupdate.com\", \n \"*.bing.com\",\n \"*.identrust.com\")\n ]\n",
"risk_score": 43,
"rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 47,
"rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa",
"severity": "medium",
@ -58,5 +58,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "TCP Port 8000 Activity to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 21,
"rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf",
"severity": "low",
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Proxy Port Activity to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 47,
"rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3",
"severity": "medium",
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "RDP (Remote Desktop Protocol) from the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
"risk_score": 47,
"rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
"severity": "medium",
@ -73,5 +73,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json
View file

@ -11,7 +11,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Remote File Download via Desktopimgdownldr Utility",
"query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
"query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
"references": [
"https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
],
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json
View file

@ -12,7 +12,7 @@
"license": "Elastic License",
"name": "Remote File Download via MpCmdRun",
"note": "### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
"query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or winlog.event_data.OriginalFileName:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
"query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
"references": [
"https://twitter.com/mohammadaskar2/status/1301263551638761477",
"https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
@ -45,5 +45,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

59
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json Normal file
View file

@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Remote File Download via PowerShell",
"query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : \"powershell.exe\" and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n not file.name : \"__PSScriptPolicy*.ps1\"]\n",
"risk_score": 47,
"rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1086",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1086/"
}
]
}
],
"type": "eql",
"version": 1
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Remote File Download via Script Interpreter",
"query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction == \"outgoing\" and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n",
"risk_score": 43,
"rule_id": "1d276579-3380-4095-ad38-e596a01bc64f",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "SMTP to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 21,
"rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4",
"severity": "low",
@ -58,5 +58,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "SQL Traffic to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 47,
"rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd",
"severity": "medium",
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "SSH (Secure Shell) from the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
"risk_score": 47,
"rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17",
"severity": "medium",
@ -73,5 +73,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "SSH (Secure Shell) to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 21,
"rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4",
"severity": "low",
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

29
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Tor Activity to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
"risk_score": 47,
"rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540",
"severity": "medium",
@ -38,25 +38,22 @@
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"reference": "https://attack.mitre.org/techniques/T1188/"
"id": "T1090",
"name": "Proxy",
"reference": "https://attack.mitre.org/techniques/T1090/",
"subtechnique": [
{
"id": "T1090.003",
"name": "Multi-hop Proxy",
"reference": "https://attack.mitre.org/techniques/T1090/003/"
}
]
}
]
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "VNC (Virtual Network Computing) from the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" ) and destination.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 )",
"risk_score": 73,
"rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
"severity": "high",
@ -58,5 +58,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "VNC (Virtual Network Computing) to the Internet",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
"query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" )",
"risk_score": 47,
"rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
"severity": "medium",
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

6
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs.",
"description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.",
"index": [
"filebeat-*",
"logs-okta*"
@ -10,7 +10,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Attempted Bypass of Okta MFA",
"note": "The Okta Filebeat module must be enabled to use this rule.",
"note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
@ -45,5 +45,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json
View file

@ -11,7 +11,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Attempts to Brute Force an Okta User Account",
"note": "The Okta Filebeat module must be enabled to use this rule.",
"note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:okta.system and event.action:user.account.lock",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
@ -50,5 +50,5 @@
"value": 3
},
"type": "threshold",
"version": 1
"version": 2
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Potential Credential Access via Windows Utilities",
"query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Cisco Systems\\\\*.exe\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable : \"C:\\\\Program Files*\\\\Steam\\\\*.exe\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n",
"references": [
"https://lolbas-project.github.io/"
],
"risk_score": 73,
"rule_id": "00140285-b827-4aee-aa09-8113f58a08f3",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"type": "eql",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"max_signals": 33,
"name": "NTDS or SAM Database File Copied",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n",
"references": [
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"
],
"risk_score": 73,
"rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Microsoft Build Engine Loading Windows Credential Libraries",
"query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
"query": "event.category:process and event.type:change and (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
"risk_score": 73,
"rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
"severity": "high",
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Credential Acquisition via Registry Hive Dumping",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\") and\n not process.parent.executable : \"C:\\\\Program Files*\\\\Rapid7\\\\Insight Agent\\\\components\\\\insight_agent\\\\*\\\\ir_agent.exe\"\n \n",
"references": [
"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8"
],
"risk_score": 73,
"rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"type": "eql",
"version": 1
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json
View file

@ -8,11 +8,11 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "lucene",
"language": "eql",
"license": "Elastic License",
"max_signals": 33,
"name": "Microsoft IIS Service Account Password Dumped",
"query": "event.category:process AND event.type:(start OR process_started) AND (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\\/[tT][eE][xX][tT]\\:[pP][aA][sS][sS][wW][oO][rR][dD]/)",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n process.args : \"/list\" and process.args : \"/text*password\"\n",
"references": [
"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
],
@ -43,6 +43,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json
View file

@ -8,11 +8,11 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"language": "eql",
"license": "Elastic License",
"max_signals": 33,
"name": "Microsoft IIS Connection Strings Decryption",
"query": "event.category:process and event.type:(start or process_started) and (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or winlog.event_data.OriginalFileName:aspnet_regiis.exe) and process.args:(connectionStrings and \"-pdf\")",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n",
"references": [
"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
@ -44,6 +44,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.",
"false_positives": [
"HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."
],
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Kerberos Traffic from Unusual Process",
"query": "network where event.type == \"start\" and network.direction == \"outgoing\" and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert False Positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n",
"risk_score": 43,
"rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1558",
"name": "Steal or Forge Kerberos Tickets",
"reference": "https://attack.mitre.org/techniques/T1558/"
}
]
}
],
"type": "eql",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
"name": "LSASS Memory Dump Creation",
"query": "event.category:file and file.name:(lsass.DMP or lsass*.dmp or dumpert.dmp or Andrew.dmp or SQLDmpr*.mdmp or Coredump.dmp)",
"references": [
"https://github.com/outflanknl/Dumpert",
"https://github.com/hoangprod/AndrewSpecial"
],
"risk_score": 73,
"rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"reference": "https://attack.mitre.org/techniques/T1003/"
}
]
}
],
"type": "query",
"version": 1
}

52
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json Normal file
View file

@ -0,0 +1,52 @@
{
"author": [
"Elastic"
],
"description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
"false_positives": [
"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
],
"from": "now-30m",
"index": [
"filebeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Attempts to Brute Force a Microsoft 365 User Account",
"note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
"risk_score": 73,
"rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d",
"severity": "high",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"threshold": {
"field": "user.id",
"value": 10
},
"type": "threshold",
"version": 1
}

52
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json Normal file
View file

@ -0,0 +1,52 @@
{
"author": [
"Elastic"
],
"description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.",
"false_positives": [
"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
],
"from": "now-30m",
"index": [
"filebeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Potential Password Spraying of Microsoft 365 User Accounts",
"note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure",
"risk_score": 73,
"rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d",
"severity": "high",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"threshold": {
"field": "source.ip",
"value": 25
},
"type": "threshold",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json
View file

@ -13,7 +13,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Okta Brute Force or Password Spraying Attack",
"note": "The Okta Filebeat module must be enabled to use this rule.",
"note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
@ -52,5 +52,5 @@
"value": 25
},
"type": "threshold",
"version": 2
"version": 3
}

51
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_ssh_bruteforce.json Normal file
View file

@ -0,0 +1,51 @@
{
"author": [
"Elastic"
],
"description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Potential SSH Brute Force Detected",
"query": "event.category:process and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd",
"references": [
"https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"
],
"risk_score": 47,
"rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force",
"reference": "https://attack.mitre.org/techniques/T1110/"
}
]
}
],
"threshold": {
"field": "host.id",
"value": 20
},
"type": "threshold",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Prompt for Credentials with OSASCRIPT",
"query": "process where event.type in (\"start\", \"process_started\") and process.name:\"osascript\" and process.args:\"-e\" and process.args:\"password\"\n",
"references": [
"https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
"https://ss64.com/osx/osascript.html"
],
"risk_score": 73,
"rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb",
"severity": "high",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Credential Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1056",
"name": "Input Capture",
"reference": "https://attack.mitre.org/techniques/T1056/"
}
]
}
],
"type": "eql",
"version": 1
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Attempt to Remove File Quarantine Attribute",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"xattr\" and process.args == \"com.apple.quarantine\" and process.args == \"-d\"\n",
"references": [
"https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html"
],
"risk_score": 43,
"rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
}
]
}
],
"type": "eql",
"version": 1
}

14
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base16_or_base32_encoding_or_decoding_activity.json
View file

@ -38,17 +38,7 @@
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"reference": "https://attack.mitre.org/techniques/T1140/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
@ -58,5 +48,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}

14
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base64_encoding_or_decoding_activity.json
View file

@ -38,17 +38,7 @@
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"reference": "https://attack.mitre.org/techniques/T1140/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
@ -58,5 +48,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}

6
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
"description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
"from": "now-9m",
"index": [
"winlogbeat-*",
@ -11,7 +11,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Clearing Windows Event Logs",
"query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
"query": "event.category:process and event.type:(process_started or start) and (process.name:\"wevtutil.exe\" or process.pe.original_file_name:\"wevtutil.exe\") and process.args:(\"/e:false\" or cl or \"clear-log\") or process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\"",
"risk_score": 21,
"rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
"severity": "low",
@ -40,5 +40,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
"from": "now-9m",
"index": [
"auditbeat-*",
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "WebServer Access Logs Deleted",
"query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\", \n \"/var/log/httpd/access_log\", \n \"/var/www/*/logs/access.log\")\n",
"risk_score": 47,
"rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Windows",
"macOS",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/"
}
]
}
],
"type": "eql",
"version": 1
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json
View file

@ -8,10 +8,10 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"language": "eql",
"license": "Elastic License",
"name": "Suspicious .NET Code Compilation",
"query": "event.category:process and event.type:(start or process_started) and process.name:(csc.exe or vbc.exe) and process.parent.name:(wscript.exe or mshta.exe or wscript.exe or wmic.exe or svchost.exe or rundll32.exe or cmstp.exe or regsvr32.exe)",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n",
"risk_score": 47,
"rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
"severity": "medium",
@ -39,6 +39,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Remote Desktop Enabled in Windows Firewall",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n",
"risk_score": 47,
"rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
}
]
}
],
"type": "eql",
"version": 1
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "ImageLoad via Windows Update Auto Update Client",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n",
"references": [
"https://dtm.uk/wuauclt/"
],
"risk_score": 47,
"rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1218/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Microsoft Build Engine Using an Alternate Name",
"query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
"query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe",
"risk_score": 21,
"rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
"severity": "low",
@ -43,5 +43,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json
View file

@ -11,7 +11,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "Potential DLL SideLoading via Trusted Microsoft Programs",
"query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
"query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
"risk_score": 73,
"rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
"severity": "high",
@ -40,5 +40,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

14
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hex_encoding_or_decoding_activity.json
View file

@ -38,17 +38,7 @@
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"reference": "https://attack.mitre.org/techniques/T1140/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
@ -58,5 +48,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Encoded Executable Stored in the Registry",
"query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n",
"risk_score": 47,
"rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"reference": "https://attack.mitre.org/techniques/T1140/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json
View file

@ -12,7 +12,7 @@
"license": "Elastic License",
"max_signals": 33,
"name": "IIS HTTP Logging Disabled",
"query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
"query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
"risk_score": 73,
"rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
"severity": "high",
@ -41,5 +41,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_log_files_deleted.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "System Log File Deletion",
"query": "file where event.type == \"deletion\" and \n file.path : \n (\n \"/var/run/utmp\", \n \"/var/log/wtmp\", \n \"/var/log/btmp\", \n \"/var/log/lastlog\", \n \"/var/log/faillog\",\n \"/var/log/syslog\", \n \"/var/log/messages\", \n \"/var/log/secure\", \n \"/var/log/auth.log\"\n )\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"
],
"risk_score": 47,
"rule_id": "aa895aea-b69c-4411-b110-8d7599634b30",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/"
}
]
}
],
"type": "eql",
"version": 1
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json
View file

@ -8,10 +8,10 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"language": "eql",
"license": "Elastic License",
"name": "Suspicious Endpoint Security Parent Process",
"query": "event.category:process and event.type:(start or process_started) and process.name:(esensor.exe or \"elastic-endpoint.exe\" or \"elastic-agent.exe\") and not process.parent.executable:\"C:\\Windows\\System32\\services.exe\"",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n \"C:\\\\Windows\\\\System32\\\\services.exe\", \n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n",
"risk_score": 47,
"rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
"severity": "medium",
@ -39,6 +39,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json
View file

@ -2,16 +2,16 @@
"author": [
"Elastic"
],
"description": "Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection.",
"description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "lucene",
"language": "eql",
"license": "Elastic License",
"name": "Renamed AutoIt Scripts Interpreter",
"query": "event.category:process AND event.type:(start OR process_started) AND (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/ OR winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/) AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\\d{1,3}\\.[eE][xX][eE]/",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n",
"risk_score": 47,
"rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
"severity": "medium",
@ -39,6 +39,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Program Files Directory Masquerading",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* capture both fake program files directory in process executable as well as if passed in process args as a dll*/\n process.args : (\"C:\\\\*Program*Files*\\\\*\", \"C:\\\\*Program*Files*\\\\*\") and\n not process.args : (\"C:\\\\Program Files\\\\*\", \"C:\\\\Program Files (x86)\\\\*\")\n",
"risk_score": 43,
"rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1036",
"name": "Masquerading",
"reference": "https://attack.mitre.org/techniques/T1036/"
}
]
}
],
"type": "eql",
"version": 1
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed.",
"description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.",
"false_positives": [
"Legit Application Crash with rare Werfault commandline value"
],
@ -11,13 +11,14 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"language": "eql",
"license": "Elastic License",
"name": "Process Potentially Masquerading as WerFault",
"query": "event.category:process and event.type:(start or process_started) and process.name:WerFault.exe and not process.args:(((\"-u\" or \"-pss\") and \"-p\" and \"-s\") or (\"/h\" and \"/shared\") or (\"-k\" and \"-lcq\"))",
"name": "Potential Windows Error Manager Masquerading",
"query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction == \"outgoing\" and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n",
"references": [
"https://twitter.com/SBousseaden/status/1235533224337641473",
"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/"
"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"
],
"risk_score": 47,
"rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
@ -46,6 +47,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

52
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json Normal file
View file

@ -0,0 +1,52 @@
{
"author": [
"Elastic"
],
"description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.",
"false_positives": [
"A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Microsoft 365 Exchange DLP Policy Removed",
"note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
"https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"
],
"risk_score": 47,
"rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/"
}
]
}
],
"type": "query",
"version": 1
}

51
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json Normal file
View file

@ -0,0 +1,51 @@
{
"author": [
"Elastic"
],
"description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.",
"false_positives": [
"A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"
],
"risk_score": 47,
"rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/"
}
]
}
],
"type": "query",
"version": 1
}

52
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json Normal file
View file

@ -0,0 +1,52 @@
{
"author": [
"Elastic"
],
"description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.",
"false_positives": [
"A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"
],
"risk_score": 47,
"rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/"
}
]
}
],
"type": "query",
"version": 1
}

51
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json Normal file
View file

@ -0,0 +1,51 @@
{
"author": [
"Elastic"
],
"description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
"false_positives": [
"A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
],
"risk_score": 21,
"rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
"severity": "low",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/"
}
]
}
],
"type": "query",
"version": 1
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_port_forwarding_added_registry.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Port Forwarding Rule Addition",
"query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"
],
"risk_score": 47,
"rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
}
]
}
],
"type": "eql",
"version": 1
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Potential Process Herpaderping Attempt",
"query": "sequence with maxspan=5s\n [process where event.type == \"start\" and not process.parent.executable : \"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\"] by host.id, process.executable, process.parent.entity_id\n [file where event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n",
"references": [
"https://github.com/jxy-s/herpaderping"
],
"risk_score": 73,
"rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1036",
"name": "Masquerading",
"reference": "https://attack.mitre.org/techniques/T1036/"
}
]
}
],
"type": "eql",
"version": 1
}

43
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_process_termination_followed_by_deletion.json Normal file
View file

@ -0,0 +1,43 @@
{
"author": [
"Elastic"
],
"description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Process Termination followed by Deletion",
"query": "sequence by host.id with maxspan=5s\n [process where event.type == \"end\" and \n process.code_signature.trusted == false and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n",
"risk_score": 47,
"rule_id": "09443c92-46b3-45a4-8f25-383b028b258d",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/"
}
]
}
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json
View file

@ -11,7 +11,7 @@
"language": "eql",
"license": "Elastic License",
"name": "Unusual Child Processes of RunDLL32",
"query": "sequence with maxspan=1h\n [process where event.type in (\"start\", \"process_started\") and\n /* uncomment once in winlogbeat */\n (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n process.args_count < 2\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n",
"query": "sequence with maxspan=1h\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n",
"risk_score": 21,
"rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
"severity": "high",
@ -40,5 +40,5 @@
}
],
"type": "eql",
"version": 1
"version": 2
}

47
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json Normal file
View file

@ -0,0 +1,47 @@
{
"author": [
"Elastic"
],
"description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Scheduled Tasks AT Command Enabled",
"query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and registry.data.strings == \"1\"\n",
"references": [
"https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"
],
"risk_score": 47,
"rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
}
]
}
],
"type": "eql",
"version": 1
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json
View file

@ -8,11 +8,11 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "lucene",
"language": "eql",
"license": "Elastic License",
"name": "Potential Secure File Deletion via SDelete Utility",
"note": "Verify process details such as command line and hash to confirm this activity legitimacy.",
"query": "event.category:file AND event.type:change AND file.name:/.+A+\\.AAA/",
"query": "file where event.type == \"change\" and wildcard(file.name,\"*AAA.AAA\")\n",
"risk_score": 21,
"rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
"severity": "low",
@ -40,6 +40,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_stop_process_service_threshold.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. This may indicate a defense evasion attempt.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
"name": "High Number of Process and/or Service Terminations",
"query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")",
"risk_score": 47,
"rule_id": "035889c4-2686-4583-a7df-67f89c292f2c",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
}
]
}
],
"threshold": {
"field": "host.id",
"value": 10
},
"type": "threshold",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json
View file

@ -14,7 +14,7 @@
"language": "kuery",
"license": "Elastic License",
"name": "High Number of Okta User Password Reset or Unlock Attempts",
"note": "The Okta Filebeat module must be enabled to use this rule.",
"note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
"references": [
"https://developer.okta.com/docs/reference/api/system-log/",
@ -83,5 +83,5 @@
"value": 5
},
"type": "threshold",
"version": 1
"version": 2
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_powershell_imgload.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Suspicious PowerShell Engine ImageLoad",
"query": "library where file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\", \"C:\\\\Program Files*\\\\*.exe\") and\n not process.name : (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n",
"risk_score": 47,
"rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1086",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1086/"
}
]
}
],
"type": "eql",
"version": 1
}

23
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json
View file

@ -3,18 +3,15 @@
"Elastic"
],
"description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
"false_positives": [
"New Zoom Executable"
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"language": "eql",
"license": "Elastic License",
"name": "Suspicious Zoom Child Process",
"query": "event.category:process and event.type:(start or process_started) and process.parent.name:Zoom.exe and not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\")\n",
"risk_score": 47,
"rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
"severity": "medium",
@ -38,17 +35,7 @@
"id": "T1036",
"name": "Masquerading",
"reference": "https://attack.mitre.org/techniques/T1036/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
},
{
"id": "T1055",
"name": "Process Injection",
@ -57,6 +44,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

46
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json Normal file
View file

@ -0,0 +1,46 @@
{
"author": [
"Elastic"
],
"description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"max_signals": 33,
"name": "Timestomping using Touch Command",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name == \"touch\" and wildcard(process.args, \"-r\", \"-t\", \"-a*\",\"-m*\")\n",
"risk_score": 47,
"rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"macOS",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1099",
"name": "Timestomp",
"reference": "https://attack.mitre.org/techniques/T1099/"
}
]
}
],
"type": "eql",
"version": 1
}

43
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json Normal file
View file

@ -0,0 +1,43 @@
{
"author": [
"Elastic"
],
"description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Unusual Process Execution Path - Alternate Data Stream",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.args : \"C:\\\\*:*\"\n",
"risk_score": 47,
"rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1564",
"name": "Hide Artifacts",
"reference": "https://attack.mitre.org/techniques/T1564/"
}
]
}
],
"type": "eql",
"version": 1
}

77
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json Normal file
View file

@ -0,0 +1,77 @@
{
"author": [
"Elastic"
],
"description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "AdFind Command Activity",
"note": "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.",
"query": "process where event.type in (\"start\", \"process_started\") and \n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\", \n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n",
"references": [
"http://www.joeware.net/freetools/tools/adfind/",
"https://thedfirreport.com/2020/05/08/adfind-recon/",
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
"https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"
],
"risk_score": 21,
"rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1069",
"name": "Permission Groups Discovery",
"reference": "https://attack.mitre.org/techniques/T1069/",
"subtechnique": [
{
"id": "T1069.002",
"name": "Domain Groups",
"reference": "https://attack.mitre.org/techniques/T1069/002/"
}
]
},
{
"id": "T1087",
"name": "Account Discovery",
"reference": "https://attack.mitre.org/techniques/T1087/",
"subtechnique": [
{
"id": "T1087.002",
"name": "Domain Account",
"reference": "https://attack.mitre.org/techniques/T1087/002/"
}
]
},
{
"id": "T1482",
"name": "Domain Trust Discovery",
"reference": "https://attack.mitre.org/techniques/T1482/"
}
]
}
],
"type": "eql",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Enumeration of Administrator Accounts",
"query": "process where event.type in (\"start\", \"process_started\") and\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n",
"risk_score": 21,
"rule_id": "871ea072-1b71-4def-b016-6278b505138d",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1069",
"name": "Permission Groups Discovery",
"reference": "https://attack.mitre.org/techniques/T1069/"
},
{
"id": "T1087",
"name": "Account Discovery",
"reference": "https://attack.mitre.org/techniques/T1087/"
}
]
}
],
"type": "eql",
"version": 1
}

43
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json Normal file
View file

@ -0,0 +1,43 @@
{
"author": [
"Elastic"
],
"description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "File and Directory Discovery",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and\n process.args : (\"dir\", \"tree\")\n\n",
"risk_score": 21,
"rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1083",
"name": "File and Directory Discovery",
"reference": "https://attack.mitre.org/techniques/T1083/"
}
]
}
],
"type": "eql",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Windows Network Enumeration",
"query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestory is available\n and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n",
"risk_score": 47,
"rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1018",
"name": "Remote System Discovery",
"reference": "https://attack.mitre.org/techniques/T1018/"
},
{
"id": "T1135",
"name": "Network Share Discovery",
"reference": "https://attack.mitre.org/techniques/T1135/"
}
]
}
],
"type": "eql",
"version": 1
}

43
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json Normal file
View file

@ -0,0 +1,43 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Peripheral Device Discovery",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n process.args : \"fsinfo\" and process.args : \"drives\"\n",
"risk_score": 21,
"rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"reference": "https://attack.mitre.org/techniques/T1120/"
}
]
}
],
"type": "eql",
"version": 1
}

43
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_query_registry_via_reg.json Normal file
View file

@ -0,0 +1,43 @@
{
"author": [
"Elastic"
],
"description": "Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities.",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Query Registry via reg.exe",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"reg.exe\" or process.pe.original_file_name == \"reg.exe\") and\n process.args == \"query\"\n",
"risk_score": 21,
"rule_id": "68113fdc-3105-4cdd-85bb-e643c416ef0b",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1012",
"name": "Query Registry",
"reference": "https://attack.mitre.org/techniques/T1012/"
}
]
}
],
"type": "eql",
"version": 1
}

43
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json Normal file
View file

@ -0,0 +1,43 @@
{
"author": [
"Elastic"
],
"description": "Discovery of remote system information using built-in commands, which may be used to mover laterally.",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Remote System Discovery Commands",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\")\n",
"risk_score": 21,
"rule_id": "0635c542-1b96-4335-9b47-126582d2c19a",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1018",
"name": "Remote System Discovery",
"reference": "https://attack.mitre.org/techniques/T1018/"
}
]
}
],
"type": "eql",
"version": 1
}

44
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json Normal file
View file

@ -0,0 +1,44 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Security Software Discovery using WMIC",
"query": "process where event.type in (\"start\", \"process_started\") and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n",
"risk_score": 47,
"rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Discovery"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1518",
"name": "Software Discovery",
"reference": "https://attack.mitre.org/techniques/T1518/"
}
]
}
],
"type": "eql",
"version": 1
}

35
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json Normal file
View file

@ -0,0 +1,35 @@
{
"author": [
"Elastic"
],
"description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.",
"false_positives": [
"Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-130m",
"index": [
"filebeat-*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License",
"name": "Domain Added to Google Workspace Trusted Domains",
"note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
"query": "event.dataset:gsuite.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS",
"references": [
"https://support.google.com/a/answer/6160020?hl=en"
],
"risk_score": 73,
"rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0",
"severity": "high",
"tags": [
"Elastic",
"Cloud",
"Google Workspace",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"type": "query",
"version": 1
}

14
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json
View file

@ -35,17 +35,7 @@
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
},
{
"id": "T1086",
"name": "PowerShell",
@ -55,5 +45,5 @@
}
],
"type": "query",
"version": 5
"version": 6
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json Normal file
View file

@ -0,0 +1,49 @@
{
"author": [
"Elastic"
],
"description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Command Shell Activity Started via RunDLL32",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and \n /* common FPs can be added here */\n not process.parent.args : \"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\"\n",
"risk_score": 21,
"rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/"
},
{
"id": "T1086",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1086/"
}
]
}
],
"type": "eql",
"version": 1
}

27
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json Normal file
View file

@ -0,0 +1,27 @@
{
"author": [
"Elastic"
],
"description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Process Execution from an Unusual Directory",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n",
"risk_score": 47,
"rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"type": "eql",
"version": 1
}

28
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json Normal file
View file

@ -0,0 +1,28 @@
{
"author": [
"Elastic"
],
"description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Execution from Unusual Directory - Command Line",
"note": "This is related to the Process Execution from an Unusual Directory rule",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\"cscript.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"cmstp.exe\",\"RegAsm.exe\",\"installutil.exe\",\"mshta.exe\",\"RegSvcs.exe\") and\n /* add suspicious execution paths here */\nprocess.args : (\"C:\\\\PerfLogs\\\\*\",\"C:\\\\Users\\\\Public\\\\*\",\"C:\\\\Users\\\\Default\\\\*\",\"C:\\\\Windows\\\\Tasks\\\\*\",\"C:\\\\Intel\\\\*\", \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \"C:\\\\Windows\\\\ServiceState\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\IdentityCRL\\\\*\",\"C:\\\\Windows\\\\Branding\\\\*\",\"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\"C:\\\\Windows\\\\en-US\\\\*\",\"C:\\\\Windows\\\\wlansvc\\\\*\",\"C:\\\\Windows\\\\Prefetch\\\\*\",\"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\"C:\\\\Windows\\\\TAPI\\\\*\",\"C:\\\\Windows\\\\INF\\\\*\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\"c:\\\\Windows\\\\Performance\\\\*\",\"c:\\\\windows\\\\intel\\\\*\",\"c:\\\\windows\\\\ms\\\\*\",\"C:\\\\Windows\\\\dot3svc\\\\*\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\"C:\\\\Windows\\\\RemotePackages\\\\*\",\"C:\\\\Windows\\\\OCR\\\\*\",\"C:\\\\Windows\\\\appcompat\\\\*\",\"C:\\\\Windows\\\\apppatch\\\\*\",\"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\"C:\\\\Windows\\\\Help\\\\*\",\"C:\\\\Windows\\\\SKB\\\\*\",\"C:\\\\Windows\\\\Vss\\\\*\",\"C:\\\\Windows\\\\Web\\\\*\",\"C:\\\\Windows\\\\servicing\\\\*\",\"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\"C:\\\\Windows\\\\WaaS\\\\*\",\"C:\\\\Windows\\\\twain_32\\\\*\",\"C:\\\\Windows\\\\ShellExperiences\\\\*\",\"C:\\\\Windows\\\\ShellComponents\\\\*\",\"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\"C:\\\\Windows\\\\debug\\\\*\",\"C:\\\\Windows\\\\Cursors\\\\*\",\"C:\\\\Windows\\\\Containers\\\\*\",\"C:\\\\Windows\\\\Boot\\\\*\",\"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\"C:\\\\Windows\\\\TextInput\\\\*\",\"C:\\\\Windows\\\\security\\\\*\",\"C:\\\\Windows\\\\schemas\\\\*\",\"C:\\\\Windows\\\\SchCache\\\\*\",\"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\"C:\\\\Windows\\\\Provisioning\\\\*\",\"C:\\\\Windows\\\\PrintDialog\\\\*\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\"C:\\\\Windows\\\\L2Schemas\\\\*\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\"C:\\\\Windows\\\\ModemLogs\\\\*\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\")\n",
"risk_score": 47,
"rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"type": "eql",
"version": 1
}

63
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scripting_osascript_exec_followed_by_netcon.json Normal file
View file

@ -0,0 +1,63 @@
{
"author": [
"Elastic"
],
"description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Apple Script Execution followed by Network Connection",
"query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where event.type == \"start\" and process.name == \"osascript\"]\n [network where event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \n \"172.16.0.0/12\", \n \"192.168.0.0/16\", \n \"127.0.0.0/8\", \n \"169.254.0.0/16\", \n \"224.0.0.0/4\", \n \"FE80::/10\", \n \"FF00::/8\")\n ]\n",
"references": [
"https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html"
],
"risk_score": 47,
"rule_id": "47f76567-d58a-4fed-b32b-21f571e28910",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Command and Control",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
}
],
"type": "eql",
"version": 1
}

49
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scripts_process_started_via_wmi.json Normal file
View file

@ -0,0 +1,49 @@
{
"author": [
"Elastic"
],
"description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Windows Script Interpreter Executing Process via WMI",
"query": "sequence by host.id with maxspan=5s\n [library where file.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n",
"risk_score": 47,
"rule_id": "b64b183e-1a76-422d-9179-7b389513e74d",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193/"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"reference": "https://attack.mitre.org/techniques/T1047/"
}
]
}
],
"type": "eql",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Execution via local SxS Shared Module",
"note": "The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.",
"query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n",
"references": [
"https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"
],
"risk_score": 43,
"rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1129",
"name": "Shared Modules",
"reference": "https://attack.mitre.org/techniques/T1129/"
}
]
}
],
"type": "eql",
"version": 1
}

48
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_execution_via_apple_scripting.json Normal file
View file

@ -0,0 +1,48 @@
{
"author": [
"Elastic"
],
"description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Shell Execution via Apple Scripting",
"query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.ppid\n",
"references": [
"https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"
],
"risk_score": 47,
"rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/"
}
]
}
],
"type": "eql",
"version": 1
}

46
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json Normal file
View file

@ -0,0 +1,46 @@
{
"author": [
"Elastic"
],
"description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products.",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Suspicious WMI Image Load from MS Office",
"query": "library where process.name in (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action == \"load\" and\n event.category == \"library\" and\n file.name == \"wmiutils.dll\"\n",
"references": [
"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"
],
"risk_score": 21,
"rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"reference": "https://attack.mitre.org/techniques/T1047/"
}
]
}
],
"type": "eql",
"version": 1
}

12
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_ms_office_child_process.json
View file

@ -8,13 +8,13 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"language": "eql",
"license": "Elastic License",
"name": "Suspicious MS Office Child Process",
"query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
"risk_score": 21,
"query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\",\n \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\",\n \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\")\n",
"risk_score": 47,
"rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
"severity": "low",
"severity": "medium",
"tags": [
"Elastic",
"Host",
@ -39,6 +39,6 @@
]
}
],
"type": "query",
"version": 5
"type": "eql",
"version": 6
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json
View file

@ -8,10 +8,10 @@
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "kuery",
"language": "eql",
"license": "Elastic License",
"name": "Suspicious Process Execution via Renamed PsExec Executable",
"query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe)",
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n",
"risk_score": 47,
"rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
"severity": "medium",
@ -39,6 +39,6 @@
]
}
],
"type": "query",
"version": 1
"type": "eql",
"version": 2
}

27
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json Normal file
View file

@ -0,0 +1,27 @@
{
"author": [
"Elastic"
],
"description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "Suspicious Execution - Short Program Name",
"query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n",
"risk_score": 47,
"rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"type": "eql",
"version": 1
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_dns_service_file_writes.json
View file

@ -11,7 +11,7 @@
"license": "Elastic License",
"name": "Unusual File Modification by dns.exe",
"note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
"query": "event.category:file and process.name:dns.exe and not file.name:dns.log",
"query": "event.category:file and process.name:dns.exe and event.type:(creation or deletion or change) and not file.name:dns.log",
"references": [
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
@ -44,5 +44,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

11
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_network_connection_via_rundll32.json
View file

@ -2,7 +2,7 @@
"author": [
"Elastic"
],
"description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.",
"description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.",
"from": "now-9m",
"index": [
"winlogbeat-*",
@ -11,10 +11,11 @@
"language": "eql",
"license": "Elastic License",
"name": "Unusual Network Connection via RunDLL32",
"query": "sequence by process.entity_id\n [process where process.name : \"rundll32.exe\" and event.type == \"start\"]\n [network where process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
"risk_score": 21,
"query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where process.name : \"rundll32.exe\" and network.protocol != \"dns\" and network.direction == \"outgoing\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
"risk_score": 47,
"rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
"severity": "low",
"severity": "medium",
"tags": [
"Elastic",
"Host",
@ -40,5 +41,5 @@
}
],
"type": "eql",
"version": 6
"version": 7
}

54
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_explorer_suspicious_child_parent_args.json Normal file
View file

@ -0,0 +1,54 @@
{
"author": [
"Elastic"
],
"description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Suspicious Explorer Child Process",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\"\n",
"risk_score": 43,
"rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1064",
"name": "Scripting",
"reference": "https://attack.mitre.org/techniques/T1064/"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"reference": "https://attack.mitre.org/techniques/T1192/"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193/"
}
]
}
],
"type": "eql",
"version": 1
}

14
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_system_manager.json
View file

@ -44,17 +44,7 @@
"id": "T1064",
"name": "Scripting",
"reference": "https://attack.mitre.org/techniques/T1064/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
},
{
"id": "T1086",
"name": "PowerShell",
@ -64,5 +54,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}

52
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json Normal file
View file

@ -0,0 +1,52 @@
{
"author": [
"Elastic"
],
"description": "Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate data.",
"false_positives": [
"A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Microsoft 365 Exchange Transport Rule Creation",
"note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
],
"risk_score": 47,
"rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Microsoft 365",
"Continuous Monitoring",
"SecOps",
"Configuration Audit"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
},
"technique": [
{
"id": "T1537",
"name": "Transfer Data to Cloud Account",
"reference": "https://attack.mitre.org/techniques/T1537/"
}
]
}
],
"type": "query",
"version": 1
}

Some files were not shown because too many files have changed in this diff Show more