[Detection Rules] Add 7.15 rules (#110345)
This commit is contained in:
Ross Wolf
GitHub
parent
cf24e6ca76
commit
e64a03677f
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed",
|
||||
"description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
|
||||
"false_positives": [
|
||||
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
|
||||
],
|
||||
|
|
@ -26,5 +26,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 7
|
||||
"version": 8
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource",
|
||||
"description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.",
|
||||
"false_positives": [
|
||||
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
|
||||
],
|
||||
|
|
@ -26,5 +26,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 7
|
||||
"version": 8
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Application Added to Google Workspace Domain",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
|
||||
"references": [
|
||||
"https://support.google.com/a/answer/6328701?hl=en#"
|
||||
|
|
@ -33,5 +33,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,11 +43,16 @@
|
|||
"id": "T1114",
|
||||
"name": "Email Collection",
|
||||
"reference": "https://attack.mitre.org/techniques/T1114/"
|
||||
},
|
||||
{
|
||||
"id": "T1005",
|
||||
"name": "Data from Local System",
|
||||
"reference": "https://attack.mitre.org/techniques/T1005/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,11 +43,16 @@
|
|||
"id": "T1114",
|
||||
"name": "Email Collection",
|
||||
"reference": "https://attack.mitre.org/techniques/T1114/"
|
||||
},
|
||||
{
|
||||
"id": "T1005",
|
||||
"name": "Data from Local System",
|
||||
"reference": "https://attack.mitre.org/techniques/T1005/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.",
|
||||
"description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"auditbeat-*",
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Default Cobalt Strike Team Server Certificate",
|
||||
"note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.",
|
||||
"note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.",
|
||||
"query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
|
||||
"references": [
|
||||
"https://attack.mitre.org/software/S0154/",
|
||||
|
|
@ -59,5 +59,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.",
|
||||
"description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS and it opens your network to a variety of abuses and malicious communications.",
|
||||
"false_positives": [
|
||||
"Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
|
||||
],
|
||||
|
|
@ -45,5 +45,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
|
||||
"description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
|
||||
"false_positives": [
|
||||
"Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
|
||||
],
|
||||
|
|
@ -52,5 +52,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
|
||||
"description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
|
||||
"false_positives": [
|
||||
"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
|
||||
],
|
||||
|
|
@ -74,5 +74,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
|
||||
"description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
|
||||
"false_positives": [
|
||||
"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
|
||||
],
|
||||
|
|
@ -71,5 +71,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 8
|
||||
"version": 9
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
|
||||
"description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
|
||||
"false_positives": [
|
||||
"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
|
||||
],
|
||||
|
|
@ -65,5 +65,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
|
||||
"description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
|
||||
"false_positives": [
|
||||
"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
|
||||
],
|
||||
|
|
@ -50,5 +50,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
"author": [
|
||||
"Elastic"
|
||||
"Elastic",
|
||||
"Austin Songer"
|
||||
],
|
||||
"description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.",
|
||||
"from": "now-9m",
|
||||
|
|
@ -13,9 +14,10 @@
|
|||
"license": "Elastic License v2",
|
||||
"max_signals": 33,
|
||||
"name": "NTDS or SAM Database File Copied",
|
||||
"query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\") and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\")\n",
|
||||
"query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n",
|
||||
"references": [
|
||||
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"
|
||||
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
|
||||
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"
|
||||
],
|
||||
"risk_score": 73,
|
||||
"rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f",
|
||||
|
|
@ -46,5 +48,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
"Elastic",
|
||||
"Austin Songer"
|
||||
],
|
||||
"description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or single sign-on token.",
|
||||
"description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.",
|
||||
"false_positives": [
|
||||
"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
|
||||
],
|
||||
|
|
@ -52,5 +52,5 @@
|
|||
"value": 5
|
||||
},
|
||||
"type": "threshold",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Jscript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the Jscript process. An adversary can modify this key to disable AMSI protections.",
|
||||
"description": "JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections.",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"winlogbeat-*",
|
||||
|
|
@ -53,5 +53,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
"language": "eql",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Windows Defender Disabled via Registry Modification",
|
||||
"note": "## Triage and analysis\n\nDetections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized",
|
||||
"note": "## Triage and analysis\n\nDetections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
|
||||
"query": "registry where event.type in (\"creation\", \"change\") and\n ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings:\"1\") or\n (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n registry.data.strings in (\"3\", \"4\")))\n",
|
||||
"references": [
|
||||
"https://thedfirreport.com/2020/12/13/defender-control/"
|
||||
|
|
@ -58,5 +58,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 2
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
"language": "eql",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Windows Defender Exclusions Added via PowerShell",
|
||||
"note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity used to put in exceptions for Windows Defender. As this rule detects post-exploitation process activity, investigations into this should be prioritized",
|
||||
"note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity used to put in exceptions for Windows Defender. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
|
||||
"query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\") or process.pe.original_file_name : (\"powershell.exe\", \"pwsh.exe\")) and\n process.args : (\"*Add-MpPreference*-Exclusion*\", \"*Set-MpPreference*-Exclusion*\")\n",
|
||||
"references": [
|
||||
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"
|
||||
|
|
@ -80,5 +80,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
|
||||
"description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
|
||||
"from": "now-20m",
|
||||
"index": [
|
||||
"logs-endpoint.events.*",
|
||||
|
|
@ -48,5 +48,5 @@
|
|||
}
|
||||
],
|
||||
"type": "eql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,44 @@
|
|||
{
|
||||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.*",
|
||||
"logs-windows.*"
|
||||
],
|
||||
"language": "eql",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Whitespace Padding in Process Command Line",
|
||||
"note": "## Triage and analysis\n\n- Analyze the command line of the process in question for evidence of malicious code execution.\n- Review the ancestry and child processes spawned by the process in question for indicators of further malicious code execution.",
|
||||
"query": "process where event.type in (\"start\", \"process_started\") and\n process.command_line regex \".*[ ]{20,}.*\" or \n \n /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */\n process.command_line regex \".*(.*[ ]{5,}[^ ]*){3,}.*\"\n",
|
||||
"references": [
|
||||
"https://twitter.com/JohnLaTwC/status/1419251082736201737"
|
||||
],
|
||||
"risk_score": 47,
|
||||
"rule_id": "e0dacebe-4311-4d50-9387-b17e89c2e7fd",
|
||||
"severity": "medium",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Host",
|
||||
"Windows",
|
||||
"Threat Detection",
|
||||
"Defense Evasion"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": []
|
||||
}
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
"language": "eql",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Windows Network Enumeration",
|
||||
"query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestory is available\n and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n",
|
||||
"query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n",
|
||||
"risk_score": 47,
|
||||
"rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1",
|
||||
"severity": "medium",
|
||||
|
|
@ -47,5 +47,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
],
|
||||
"language": "eql",
|
||||
"license": "Elastic License v2",
|
||||
"name": "External IP Lookup fron Non-Browser Process",
|
||||
"name": "External IP Lookup from Non-Browser Process",
|
||||
"query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n",
|
||||
"references": [
|
||||
"https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
|
||||
|
|
@ -49,5 +49,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Domain Added to Google Workspace Trusted Domains",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n",
|
||||
"references": [
|
||||
"https://support.google.com/a/answer/6160020?hl=en"
|
||||
|
|
@ -33,5 +33,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
"license": "Elastic License v2",
|
||||
"max_signals": 10000,
|
||||
"name": "Endpoint Security",
|
||||
"query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
|
||||
"query": "event.kind:alert and event.module:(endpoint and not endgame) and not event.code: behavior\n",
|
||||
"risk_score": 47,
|
||||
"risk_score_mapping": [
|
||||
{
|
||||
|
|
@ -64,5 +64,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,68 @@
|
|||
{
|
||||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Generates a detection alert each time an Elastic Endpoint Security alert is received for Behavior Protection alerts. Enabling this rule allows you to immediately begin investigating your Endpoint alerts for Behavior Protection.",
|
||||
"enabled": true,
|
||||
"exceptions_list": [
|
||||
{
|
||||
"id": "endpoint_list",
|
||||
"list_id": "endpoint_list",
|
||||
"namespace_type": "agnostic",
|
||||
"type": "endpoint"
|
||||
}
|
||||
],
|
||||
"from": "now-10m",
|
||||
"index": [
|
||||
"logs-endpoint.alerts-*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"max_signals": 10000,
|
||||
"name": "Endpoint Security Behavior Protection",
|
||||
"query": "event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior\n",
|
||||
"risk_score": 47,
|
||||
"risk_score_mapping": [
|
||||
{
|
||||
"field": "event.risk_score",
|
||||
"operator": "equals",
|
||||
"value": ""
|
||||
}
|
||||
],
|
||||
"rule_id": "d516af98-19f3-45bb-b590-dd623535b746",
|
||||
"rule_name_override": "rule.name",
|
||||
"severity": "medium",
|
||||
"severity_mapping": [
|
||||
{
|
||||
"field": "event.severity",
|
||||
"operator": "equals",
|
||||
"severity": "low",
|
||||
"value": "21"
|
||||
},
|
||||
{
|
||||
"field": "event.severity",
|
||||
"operator": "equals",
|
||||
"severity": "medium",
|
||||
"value": "47"
|
||||
},
|
||||
{
|
||||
"field": "event.severity",
|
||||
"operator": "equals",
|
||||
"severity": "high",
|
||||
"value": "73"
|
||||
},
|
||||
{
|
||||
"field": "event.severity",
|
||||
"operator": "equals",
|
||||
"severity": "critical",
|
||||
"value": "99"
|
||||
}
|
||||
],
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Endpoint Security"
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1059.007",
|
||||
"name": "JavaScript/JScript",
|
||||
"name": "JavaScript",
|
||||
"reference": "https://attack.mitre.org/techniques/T1059/007/"
|
||||
}
|
||||
]
|
||||
|
|
@ -76,5 +76,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 2
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.",
|
||||
"description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.",
|
||||
"from": "now-120m",
|
||||
"index": [
|
||||
"logs-endpoint.events.*",
|
||||
|
|
@ -63,5 +63,5 @@
|
|||
}
|
||||
],
|
||||
"type": "eql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products.",
|
||||
"description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"winlogbeat-*",
|
||||
|
|
@ -45,5 +45,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1059.007",
|
||||
"name": "JavaScript/JScript",
|
||||
"name": "JavaScript",
|
||||
"reference": "https://attack.mitre.org/techniques/T1059/007/"
|
||||
}
|
||||
]
|
||||
|
|
@ -49,5 +49,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
"Elastic",
|
||||
"Austin Songer"
|
||||
],
|
||||
"description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.",
|
||||
"description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.",
|
||||
"false_positives": [
|
||||
"Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
|
||||
],
|
||||
|
|
@ -67,5 +67,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Google Workspace Admin Role Deletion",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n",
|
||||
"references": [
|
||||
"https://support.google.com/a/answer/2406043?hl=en"
|
||||
|
|
@ -33,5 +33,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Google Workspace MFA Enforcement Disabled",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
|
||||
"references": [
|
||||
"https://support.google.com/a/answer/9176657?hl=en#"
|
||||
|
|
@ -33,5 +33,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Google Workspace Password Policy Modified",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and\n event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n gsuite.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n ) or\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n",
|
||||
"risk_score": 47,
|
||||
"rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73",
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
"Elastic",
|
||||
"Austin Songer"
|
||||
],
|
||||
"description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security Group.",
|
||||
"description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.",
|
||||
"false_positives": [
|
||||
"A RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
|
||||
"An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
|
||||
],
|
||||
"from": "now-60m",
|
||||
"index": [
|
||||
|
|
@ -51,5 +51,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -547,37 +547,41 @@ import rule534 from './threat_intel_module_match.json';
|
|||
import rule535 from './exfiltration_ec2_vm_export_failure.json';
|
||||
import rule536 from './exfiltration_ec2_full_network_packet_capture_detected.json';
|
||||
import rule537 from './impact_azure_service_principal_credentials_added.json';
|
||||
import rule538 from './defense_evasion_disabling_windows_logs.json';
|
||||
import rule539 from './persistence_route_53_domain_transfer_lock_disabled.json';
|
||||
import rule540 from './persistence_route_53_domain_transferred_to_another_account.json';
|
||||
import rule541 from './credential_access_user_excessive_sso_logon_errors.json';
|
||||
import rule542 from './defense_evasion_suspicious_execution_from_mounted_device.json';
|
||||
import rule543 from './defense_evasion_unusual_network_connection_via_dllhost.json';
|
||||
import rule544 from './defense_evasion_amsienable_key_mod.json';
|
||||
import rule545 from './impact_rds_group_deletion.json';
|
||||
import rule546 from './persistence_rds_group_creation.json';
|
||||
import rule547 from './exfiltration_rds_snapshot_export.json';
|
||||
import rule548 from './persistence_rds_instance_creation.json';
|
||||
import rule549 from './ml_auth_rare_hour_for_a_user_to_logon.json';
|
||||
import rule550 from './ml_auth_rare_source_ip_for_a_user.json';
|
||||
import rule551 from './ml_auth_rare_user_logon.json';
|
||||
import rule552 from './ml_auth_spike_in_failed_logon_events.json';
|
||||
import rule553 from './ml_auth_spike_in_logon_events.json';
|
||||
import rule554 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
|
||||
import rule555 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json';
|
||||
import rule556 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json';
|
||||
import rule557 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
|
||||
import rule558 from './privilege_escalation_printspooler_malicious_registry_modification.json';
|
||||
import rule559 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
|
||||
import rule560 from './privilege_escalation_unusual_printspooler_childprocess.json';
|
||||
import rule561 from './defense_evasion_disabling_windows_defender_powershell.json';
|
||||
import rule562 from './defense_evasion_enable_network_discovery_with_netsh.json';
|
||||
import rule563 from './defense_evasion_execution_windefend_unusual_path.json';
|
||||
import rule564 from './defense_evasion_agent_spoofing_mismatched_id.json';
|
||||
import rule565 from './defense_evasion_agent_spoofing_multiple_hosts.json';
|
||||
import rule566 from './defense_evasion_parent_process_pid_spoofing.json';
|
||||
import rule567 from './defense_evasion_defender_exclusion_via_powershell.json';
|
||||
import rule568 from './persistence_via_bits_job_notify_command.json';
|
||||
import rule538 from './persistence_ec2_security_group_configuration_change_detection.json';
|
||||
import rule539 from './defense_evasion_disabling_windows_logs.json';
|
||||
import rule540 from './persistence_route_53_domain_transfer_lock_disabled.json';
|
||||
import rule541 from './persistence_route_53_domain_transferred_to_another_account.json';
|
||||
import rule542 from './credential_access_user_excessive_sso_logon_errors.json';
|
||||
import rule543 from './defense_evasion_suspicious_execution_from_mounted_device.json';
|
||||
import rule544 from './defense_evasion_unusual_network_connection_via_dllhost.json';
|
||||
import rule545 from './defense_evasion_amsienable_key_mod.json';
|
||||
import rule546 from './impact_rds_group_deletion.json';
|
||||
import rule547 from './persistence_rds_group_creation.json';
|
||||
import rule548 from './exfiltration_rds_snapshot_export.json';
|
||||
import rule549 from './persistence_rds_instance_creation.json';
|
||||
import rule550 from './ml_auth_rare_hour_for_a_user_to_logon.json';
|
||||
import rule551 from './ml_auth_rare_source_ip_for_a_user.json';
|
||||
import rule552 from './ml_auth_rare_user_logon.json';
|
||||
import rule553 from './ml_auth_spike_in_failed_logon_events.json';
|
||||
import rule554 from './ml_auth_spike_in_logon_events.json';
|
||||
import rule555 from './ml_auth_spike_in_logon_events_from_a_source_ip.json';
|
||||
import rule556 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json';
|
||||
import rule557 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json';
|
||||
import rule558 from './privilege_escalation_printspooler_malicious_driver_file_changes.json';
|
||||
import rule559 from './privilege_escalation_printspooler_malicious_registry_modification.json';
|
||||
import rule560 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
|
||||
import rule561 from './privilege_escalation_unusual_printspooler_childprocess.json';
|
||||
import rule562 from './defense_evasion_disabling_windows_defender_powershell.json';
|
||||
import rule563 from './defense_evasion_enable_network_discovery_with_netsh.json';
|
||||
import rule564 from './defense_evasion_execution_windefend_unusual_path.json';
|
||||
import rule565 from './defense_evasion_agent_spoofing_mismatched_id.json';
|
||||
import rule566 from './defense_evasion_agent_spoofing_multiple_hosts.json';
|
||||
import rule567 from './defense_evasion_parent_process_pid_spoofing.json';
|
||||
import rule568 from './defense_evasion_defender_exclusion_via_powershell.json';
|
||||
import rule569 from './defense_evasion_whitespace_padding_in_command_line.json';
|
||||
import rule570 from './persistence_webshell_detection.json';
|
||||
import rule571 from './elastic_endpoint_security_behavior_protection.json';
|
||||
import rule572 from './persistence_via_bits_job_notify_command.json';
|
||||
|
||||
export const rawRules = [
|
||||
rule1,
|
||||
|
|
@ -1148,4 +1152,8 @@ export const rawRules = [
|
|||
rule566,
|
||||
rule567,
|
||||
rule568,
|
||||
rule569,
|
||||
rule570,
|
||||
rule571,
|
||||
rule572,
|
||||
];
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
|
||||
"description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"auditbeat-*",
|
||||
|
|
@ -47,5 +47,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
|
||||
"description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"auditbeat-*",
|
||||
|
|
@ -47,5 +47,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.",
|
||||
"description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"auditbeat-*",
|
||||
|
|
@ -62,5 +62,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "MFA Disabled for Google Workspace Organization",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)\n",
|
||||
"risk_score": 47,
|
||||
"rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827",
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
|
||||
"description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
|
||||
"false_positives": [
|
||||
"User accounts that are rarely active, such as an SRE or developer logging into a prod server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."
|
||||
"User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."
|
||||
],
|
||||
"from": "now-30m",
|
||||
"interval": "15m",
|
||||
|
|
@ -25,5 +25,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
],
|
||||
"description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
|
||||
"false_positives": [
|
||||
"A misconfigured service account can trigger this alert. A password change on ana account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
|
||||
"A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."
|
||||
],
|
||||
"from": "now-30m",
|
||||
"interval": "15m",
|
||||
|
|
@ -25,5 +25,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
"license": "Elastic License v2",
|
||||
"machine_learning_job_id": "high_distinct_count_error_message",
|
||||
"name": "Spike in AWS Error Messages",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -26,5 +26,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
"license": "Elastic License v2",
|
||||
"machine_learning_job_id": "rare_error_code",
|
||||
"name": "Rare AWS Error Code",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -26,5 +26,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).",
|
||||
"description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
|
||||
"false_positives": [
|
||||
"New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
|
||||
],
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
"license": "Elastic License v2",
|
||||
"machine_learning_job_id": "rare_method_for_a_city",
|
||||
"name": "Unusual City For an AWS Command",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -26,5 +26,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).",
|
||||
"description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).",
|
||||
"false_positives": [
|
||||
"New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
|
||||
],
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
"license": "Elastic License v2",
|
||||
"machine_learning_job_id": "rare_method_for_a_country",
|
||||
"name": "Unusual Country For an AWS Command",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -26,5 +26,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.",
|
||||
"description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.",
|
||||
"false_positives": [
|
||||
"New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."
|
||||
],
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
"license": "Elastic License v2",
|
||||
"machine_learning_job_id": "rare_method_for_a_username",
|
||||
"name": "Unusual AWS Command for a User",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -26,5 +26,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
],
|
||||
"description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
|
||||
"false_positives": [
|
||||
"Business workflows that occur very occasionally, and involve an unsual surge in network trafic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."
|
||||
"Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."
|
||||
],
|
||||
"from": "now-30m",
|
||||
"interval": "15m",
|
||||
|
|
@ -25,5 +25,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 2
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
],
|
||||
"description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
|
||||
"false_positives": [
|
||||
"Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue."
|
||||
"Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."
|
||||
],
|
||||
"from": "now-45m",
|
||||
"interval": "15m",
|
||||
|
|
@ -23,5 +23,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 2
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"license": "Elastic License v2",
|
||||
"machine_learning_job_id": "linux_anomalous_network_activity_ecs",
|
||||
"name": "Unusual Linux Network Activity",
|
||||
"note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -24,5 +24,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"v2_linux_anomalous_process_all_hosts_ecs"
|
||||
],
|
||||
"name": "Anomalous Process For a Linux Population",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"v2_linux_anomalous_user_name_ecs"
|
||||
],
|
||||
"name": "Unusual Linux Username",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"v2_rare_process_by_host_linux_ecs"
|
||||
],
|
||||
"name": "Unusual Process For a Linux Host",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"v2_rare_process_by_host_windows_ecs"
|
||||
],
|
||||
"name": "Unusual Process For a Windows Host",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"v2_windows_anomalous_network_activity_ecs"
|
||||
],
|
||||
"name": "Unusual Windows Network Activity",
|
||||
"note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
|
||||
"note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"v2_windows_anomalous_process_all_hosts_ecs"
|
||||
],
|
||||
"name": "Anomalous Process For a Windows Population",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"v2_windows_anomalous_user_name_ecs"
|
||||
],
|
||||
"name": "Unusual Windows Username",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
|
||||
"note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
|
||||
"references": [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
|
||||
],
|
||||
|
|
@ -30,5 +30,5 @@
|
|||
"ML"
|
||||
],
|
||||
"type": "machine_learning",
|
||||
"version": 6
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,58 @@
|
|||
{
|
||||
"author": [
|
||||
"Elastic",
|
||||
"Austin Songer"
|
||||
],
|
||||
"description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtul firewall and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in a AWS environment.",
|
||||
"false_positives": [
|
||||
"A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
|
||||
],
|
||||
"from": "now-30m",
|
||||
"index": [
|
||||
"filebeat-*",
|
||||
"logs-aws*"
|
||||
],
|
||||
"interval": "10m",
|
||||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "AWS Security Group Configuration Change Detection",
|
||||
"note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
|
||||
"query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or \nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or \nRevokeSecurityGroupIngress) and event.outcome:success\n",
|
||||
"references": [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"
|
||||
],
|
||||
"risk_score": 21,
|
||||
"rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Cloud",
|
||||
"AWS",
|
||||
"Continuous Monitoring",
|
||||
"SecOps",
|
||||
"Network Security"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0003",
|
||||
"name": "Persistence",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0003/"
|
||||
},
|
||||
"technique": []
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0005",
|
||||
"name": "Defense Evasion",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0005/"
|
||||
},
|
||||
"technique": []
|
||||
}
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Google Workspace Admin Role Assigned to a User",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n",
|
||||
"references": [
|
||||
"https://support.google.com/a/answer/172176?hl=en"
|
||||
|
|
@ -50,5 +50,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n",
|
||||
"references": [
|
||||
"https://developers.google.com/admin-sdk/directory/v1/guides/delegation"
|
||||
|
|
@ -50,5 +50,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Google Workspace Custom Admin Role Created",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n",
|
||||
"references": [
|
||||
"https://support.google.com/a/answer/2406043?hl=en"
|
||||
|
|
@ -50,5 +50,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Google Workspace Role Modified",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
|
||||
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n",
|
||||
"references": [
|
||||
"https://support.google.com/a/answer/2406043?hl=en"
|
||||
|
|
@ -50,5 +50,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
"Elastic",
|
||||
"Austin Songer"
|
||||
],
|
||||
"description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security Group.",
|
||||
"description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.",
|
||||
"false_positives": [
|
||||
"A RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
|
||||
"An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
|
||||
],
|
||||
"from": "now-60m",
|
||||
"index": [
|
||||
|
|
@ -58,5 +58,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1546.004",
|
||||
"name": ".bash_profile and .bashrc",
|
||||
"name": "Unix Shell Configuration Modification",
|
||||
"reference": "https://attack.mitre.org/techniques/T1546/004/"
|
||||
}
|
||||
]
|
||||
|
|
@ -55,5 +55,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,75 @@
|
|||
{
|
||||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
|
||||
"false_positives": [
|
||||
"Security audits, maintenance and network administrative scripts may trigger this alert when run under web processes."
|
||||
],
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.*",
|
||||
"logs-windows.*"
|
||||
],
|
||||
"language": "eql",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Webshell Detection: Script Process Child of Common Web Processes",
|
||||
"note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.",
|
||||
"query": "process where event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\")\n",
|
||||
"references": [
|
||||
"https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/"
|
||||
],
|
||||
"risk_score": 73,
|
||||
"rule_id": "2917d495-59bd-4250-b395-c29409b76086",
|
||||
"severity": "high",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Host",
|
||||
"Windows",
|
||||
"Threat Detection",
|
||||
"Persistence"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0003",
|
||||
"name": "Persistence",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0003/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1505",
|
||||
"name": "Server Software Component",
|
||||
"reference": "https://attack.mitre.org/techniques/T1505/",
|
||||
"subtechnique": [
|
||||
{
|
||||
"id": "T1505.003",
|
||||
"name": "Web Shell",
|
||||
"reference": "https://attack.mitre.org/techniques/T1505/003/"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"framework": "MITRE ATT&CK",
|
||||
"tactic": {
|
||||
"id": "TA0001",
|
||||
"name": "Initial Access",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0001/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1190",
|
||||
"name": "Exploit Public-Facing Application",
|
||||
"reference": "https://attack.mitre.org/techniques/T1190/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -66,7 +66,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -76,5 +76,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1574.006",
|
||||
"name": "LD_PRELOAD",
|
||||
"name": "Dynamic Linker Hijacking",
|
||||
"reference": "https://attack.mitre.org/techniques/T1574/006/"
|
||||
}
|
||||
]
|
||||
|
|
@ -51,5 +51,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -52,5 +52,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -52,5 +52,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -49,5 +49,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -49,5 +49,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -52,5 +52,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -49,5 +49,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 8
|
||||
"version": 9
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -52,5 +52,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
"subtechnique": [
|
||||
{
|
||||
"id": "T1548.002",
|
||||
"name": "Bypass User Access Control",
|
||||
"name": "Bypass User Account Control",
|
||||
"reference": "https://attack.mitre.org/techniques/T1548/002/"
|
||||
}
|
||||
]
|
||||
|
|
@ -52,5 +52,5 @@
|
|||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue