maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Detection Rules] Add 7.11 rules (#87422)

Browse source 
* [Detection Rules] Add 7.11 rules
* add empty array for missing technique
This commit is contained in:
Justin Ibarra 2021-01-11 08:54:38 -09:00 committed by GitHub
parent 03ef089236
commit f12228e635
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
226 changed files with 2382 additions and 1023 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json
View file

@ -8,14 +8,15 @@
],
"from": "now-130m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-google_workspace*"
],
"interval": "10m",
"language": "kuery",
"license": "Elastic License",
"name": "Application Added to Google Workspace Domain",
"note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
"query": "event.dataset:gsuite.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
"query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
"references": [
"https://support.google.com/a/answer/6328701?hl=en#"
],

50
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json Normal file
View file

@ -0,0 +1,50 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.",
"false_positives": [
"Legitimate exchange system administration activity."
],
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "Exporting Exchange Mailbox via PowerShell",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"New-MailboxExportRequest*\"\n",
"references": [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"
],
"risk_score": 47,
"rule_id": "6aace640-e631-4870-ba8e-5fdda09325db",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/"
}
]
}
],
"type": "eql",
"version": 1
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json
View file

@ -7,13 +7,14 @@
"Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Pub/Sub Subscription Creation",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
"references": [
"https://cloud.google.com/pubsub/docs/overview"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json
View file

@ -7,13 +7,14 @@
"Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Pub/Sub Topic Creation",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
"references": [
"https://cloud.google.com/pubsub/docs/admin"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

50
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json Normal file
View file

@ -0,0 +1,50 @@
{
"author": [
"Elastic"
],
"description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.",
"false_positives": [
"Legitimate exchange system administration activity."
],
"index": [
"logs-endpoint.events.*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License",
"name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n",
"references": [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"
],
"risk_score": 47,
"rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Collection"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1114",
"name": "Email Collection",
"reference": "https://attack.mitre.org/techniques/T1114/"
}
]
}
],
"type": "eql",
"version": 1
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Event Hub Authorization Rule Created or Updated",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
],
@ -62,5 +63,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

6
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_winrar_encryption.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json
View file

@ -28,9 +28,9 @@
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0010",
"name": "Exfiltration",
"reference": "https://attack.mitre.org/tactics/TA0010/"
"id": "TA0009",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json
View file

@ -42,13 +42,20 @@
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1483/"
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json
View file

@ -35,13 +35,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",

19
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json
View file

@ -35,19 +35,26 @@
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1483/"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json
View file

@ -42,13 +42,20 @@
"reference": "https://attack.mitre.org/techniques/T1071/"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1483/"
"id": "T1568",
"name": "Dynamic Resolution",
"reference": "https://attack.mitre.org/techniques/T1568/",
"subtechnique": [
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"reference": "https://attack.mitre.org/techniques/T1568/002/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json
View file

@ -33,15 +33,9 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",
"version": 4
"version": 5
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json
View file

@ -37,13 +37,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",
@ -62,5 +56,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json
View file

@ -33,15 +33,9 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",
"version": 4
"version": 5
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json
View file

@ -47,9 +47,16 @@
},
"technique": [
{
"id": "T1086",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1086/"
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}
]
}
]
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
}
],
"type": "query",

76
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json Normal file
View file

@ -0,0 +1,76 @@
{
"author": [
"Elastic"
],
"description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License",
"name": "SUNBURST Command and Control Activity",
"note": "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.",
"query": "event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)",
"references": [
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
],
"risk_score": 73,
"rule_id": "22599847-5d13-48cb-8872-5796fee8692b",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Command and Control"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"reference": "https://attack.mitre.org/techniques/T1071/",
"subtechnique": [
{
"id": "T1071.001",
"name": "Web Protocols",
"reference": "https://attack.mitre.org/techniques/T1071/001/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [
{
"id": "T1195",
"name": "Supply Chain Compromise",
"reference": "https://attack.mitre.org/techniques/T1195/",
"subtechnique": [
{
"id": "T1195.002",
"name": "Compromise Software Supply Chain",
"reference": "https://attack.mitre.org/techniques/T1195/002/"
}
]
}
]
}
],
"type": "query",
"version": 1
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json
View file

@ -33,13 +33,7 @@
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",
@ -73,5 +67,5 @@
}
],
"type": "query",
"version": 4
"version": 5
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json
View file

@ -34,11 +34,6 @@
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
},
{
"id": "T1090",
"name": "Proxy",

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_compress_credentials_keychains.json
View file

@ -35,13 +35,20 @@
},
"technique": [
{
"id": "T1142",
"name": "Keychain",
"reference": "https://attack.mitre.org/techniques/T1142/"
"id": "T1555",
"name": "Credentials from Password Stores",
"reference": "https://attack.mitre.org/techniques/T1555/",
"subtechnique": [
{
"id": "T1555.001",
"name": "Keychain",
"reference": "https://attack.mitre.org/techniques/T1555/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json
View file

@ -37,13 +37,20 @@
},
"technique": [
{
"id": "T1145",
"name": "Private Keys",
"reference": "https://attack.mitre.org/techniques/T1145/"
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.004",
"name": "Private Keys",
"reference": "https://attack.mitre.org/techniques/T1552/004/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json
View file

@ -39,13 +39,7 @@
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1098",
"name": "Account Manipulation",
"reference": "https://attack.mitre.org/techniques/T1098/"
}
]
"technique": []
},
{
"framework": "MITRE ATT&CK",
@ -64,5 +58,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}

20
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Key Vault Modified",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
@ -40,13 +41,20 @@
},
"technique": [
{
"id": "T1081",
"name": "Credentials in Files",
"reference": "https://attack.mitre.org/techniques/T1081/"
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.001",
"name": "Credentials In Files",
"reference": "https://attack.mitre.org/techniques/T1552/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

3
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json
View file

@ -8,7 +8,8 @@
],
"from": "now-30m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License",

3
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json
View file

@ -8,7 +8,8 @@
],
"from": "now-30m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License",

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Storage Account Key Regenerated",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
],
@ -47,5 +48,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

23
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json
View file

@ -32,9 +32,16 @@
},
"technique": [
{
"id": "T1158",
"name": "Hidden Files and Directories",
"reference": "https://attack.mitre.org/techniques/T1158/"
"id": "T1564",
"name": "Hide Artifacts",
"reference": "https://attack.mitre.org/techniques/T1564/",
"subtechnique": [
{
"id": "T1564.001",
"name": "Hidden Files and Directories",
"reference": "https://attack.mitre.org/techniques/T1564/001/"
}
]
}
]
},
@ -45,15 +52,9 @@
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1158",
"name": "Hidden Files and Directories",
"reference": "https://attack.mitre.org/techniques/T1158/"
}
]
"technique": []
}
],
"type": "query",
"version": 5
"version": 6
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json
View file

@ -35,9 +35,16 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_iptables_or_firewall.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 4
"version": 5
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_syslog_service.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 4
"version": 5
}

59
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json Normal file
View file

@ -0,0 +1,59 @@
{
"author": [
"Elastic"
],
"description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.",
"false_positives": [
"Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-25m",
"index": [
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Application Credential Modification",
"note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)",
"references": [
"https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
],
"risk_score": 47,
"rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1550",
"name": "Use Alternate Authentication Material",
"reference": "https://attack.mitre.org/techniques/T1550/",
"subtechnique": [
{
"id": "T1550.001",
"name": "Application Access Token",
"reference": "https://attack.mitre.org/techniques/T1550/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
}

20
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Diagnostic Settings Deletion",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
],
@ -39,13 +40,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

60
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json Normal file
View file

@ -0,0 +1,60 @@
{
"author": [
"Elastic"
],
"description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.",
"false_positives": [
"A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"from": "now-25m",
"index": [
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Service Principal Addition",
"note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)",
"references": [
"https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
"https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"
],
"risk_score": 47,
"rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50",
"severity": "medium",
"tags": [
"Elastic",
"Cloud",
"Azure",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1550",
"name": "Use Alternate Authentication Material",
"reference": "https://attack.mitre.org/techniques/T1550/",
"subtechnique": [
{
"id": "T1550.001",
"name": "Application Access Token",
"reference": "https://attack.mitre.org/techniques/T1550/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json
View file

@ -30,13 +30,20 @@
},
"technique": [
{
"id": "T1116",
"name": "Code Signing",
"reference": "https://attack.mitre.org/techniques/T1116/"
"id": "T1553",
"name": "Subvert Trust Controls",
"reference": "https://attack.mitre.org/techniques/T1553/",
"subtechnique": [
{
"id": "T1553.002",
"name": "Code Signing",
"reference": "https://attack.mitre.org/techniques/T1553/002/"
}
]
}
]
}
],
"type": "query",
"version": 3
"version": 4
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1107",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1107/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.004",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1070/004/"
}
]
}
]
}
],
"type": "query",
"version": 5
"version": 6
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1107",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1107/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.004",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1070/004/"
}
]
}
]
}
],
"type": "query",
"version": 5
"version": 6
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1146",
"name": "Clear Command History",
"reference": "https://attack.mitre.org/techniques/T1146/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.003",
"name": "Clear Command History",
"reference": "https://attack.mitre.org/techniques/T1070/003/"
}
]
}
]
}
],
"type": "query",
"version": 3
"version": 4
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_selinux_attempt.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 4
"version": 5
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 5
"version": 6
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json
View file

@ -44,13 +44,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json
View file

@ -32,9 +32,16 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}

20
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Event Hub Deletion",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
"https://azure.microsoft.com/en-in/services/event-hubs/",
@ -41,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json
View file

@ -51,15 +51,9 @@
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1127",
"name": "Trusted Developer Utilities Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1127/"
}
]
"technique": []
}
],
"type": "query",
"version": 4
"version": 5
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json
View file

@ -48,15 +48,9 @@
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1127",
"name": "Trusted Developer Utilities Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1127/"
}
]
"technique": []
}
],
"type": "query",
"version": 4
"version": 5
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json
View file

@ -48,15 +48,9 @@
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1127",
"name": "Trusted Developer Utilities Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1127/"
}
]
"technique": []
}
],
"type": "query",
"version": 4
"version": 5
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json
View file

@ -38,13 +38,20 @@
},
"technique": [
{
"id": "T1500",
"name": "Compile After Delivery",
"reference": "https://attack.mitre.org/techniques/T1500/"
"id": "T1027",
"name": "Obfuscated Files or Information",
"reference": "https://attack.mitre.org/techniques/T1027/",
"subtechnique": [
{
"id": "T1027.004",
"name": "Compile After Delivery",
"reference": "https://attack.mitre.org/techniques/T1027/004/"
}
]
}
]
}
],
"type": "query",
"version": 4
"version": 5
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json
View file

@ -47,15 +47,9 @@
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1127",
"name": "Trusted Developer Utilities Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1127/"
}
]
"technique": []
}
],
"type": "query",
"version": 4
"version": 5
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_deletion_via_shred.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1107",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1107/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.004",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1070/004/"
}
]
}
]
}
],
"type": "query",
"version": 4
"version": 5
}

20
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Firewall Policy Deletion",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
],
@ -39,13 +40,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json
View file

@ -7,13 +7,14 @@
"Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Firewall Rule Creation",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.insert",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert",
"references": [
"https://cloud.google.com/vpc/docs/firewalls"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json
View file

@ -7,13 +7,14 @@
"Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Firewall Rule Deletion",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.delete",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete",
"references": [
"https://cloud.google.com/vpc/docs/firewalls"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json
View file

@ -7,13 +7,14 @@
"Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Firewall Rule Modification",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.patch",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch",
"references": [
"https://cloud.google.com/vpc/docs/firewalls"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json
View file

@ -7,13 +7,14 @@
"Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Logging Bucket Deletion",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
"references": [
"https://cloud.google.com/logging/docs/buckets",
"https://cloud.google.com/logging/docs/storage"
@ -47,5 +48,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json
View file

@ -7,13 +7,14 @@
"Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Logging Sink Deletion",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
"references": [
"https://cloud.google.com/logging/docs/export"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json
View file

@ -7,13 +7,14 @@
"Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Pub/Sub Subscription Deletion",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
"references": [
"https://cloud.google.com/pubsub/docs/overview"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json
View file

@ -7,13 +7,14 @@
"Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Pub/Sub Topic Deletion",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
"references": [
"https://cloud.google.com/pubsub/docs/overview"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json
View file

@ -7,13 +7,14 @@
"Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Storage Bucket Configuration Modification",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success",
"references": [
"https://cloud.google.com/storage/docs/key-terms#buckets"
],
@ -29,5 +30,5 @@
"Identity and Access"
],
"type": "query",
"version": 1
"version": 2
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json
View file

@ -7,13 +7,14 @@
"Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"index": [
"filebeat-*"
"filebeat-*",
"logs-gcp*"
],
"language": "kuery",
"license": "Elastic License",
"name": "GCP Storage Bucket Permissions Modification",
"note": "The GCP Filebeat module must be enabled to use this rule.",
"query": "event.dataset:googlecloud.audit and event.action:storage.setIamPermissions and event.outcome:success",
"query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success",
"references": [
"https://cloud.google.com/storage/docs/access-control/iam-permissions"
],
@ -46,5 +47,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

23
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_file_dir_tmp.json
View file

@ -36,9 +36,16 @@
},
"technique": [
{
"id": "T1158",
"name": "Hidden Files and Directories",
"reference": "https://attack.mitre.org/techniques/T1158/"
"id": "T1564",
"name": "Hide Artifacts",
"reference": "https://attack.mitre.org/techniques/T1564/",
"subtechnique": [
{
"id": "T1564.001",
"name": "Hidden Files and Directories",
"reference": "https://attack.mitre.org/techniques/T1564/001/"
}
]
}
]
},
@ -49,15 +56,9 @@
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1158",
"name": "Hidden Files and Directories",
"reference": "https://attack.mitre.org/techniques/T1158/"
}
]
"technique": []
}
],
"type": "query",
"version": 3
"version": 4
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1118",
"name": "InstallUtil",
"reference": "https://attack.mitre.org/techniques/T1118/"
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1218/",
"subtechnique": [
{
"id": "T1218.004",
"name": "InstallUtil",
"reference": "https://attack.mitre.org/techniques/T1218/004/"
}
]
}
]
}
],
"type": "eql",
"version": 1
"version": 2
}

28
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kernel_module_removal.json
View file

@ -38,9 +38,16 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
},
@ -53,13 +60,20 @@
},
"technique": [
{
"id": "T1215",
"name": "Kernel Modules and Extensions",
"reference": "https://attack.mitre.org/techniques/T1215/"
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"reference": "https://attack.mitre.org/techniques/T1547/",
"subtechnique": [
{
"id": "T1547.006",
"name": "Kernel Modules and Extensions",
"reference": "https://attack.mitre.org/techniques/T1547/006/"
}
]
}
]
}
],
"type": "query",
"version": 4
"version": 5
}

3
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json
View file

@ -8,7 +8,8 @@
],
"from": "now-30m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License",

3
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json
View file

@ -8,7 +8,8 @@
],
"from": "now-30m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License",

3
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json
View file

@ -8,7 +8,8 @@
],
"from": "now-30m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License",

3
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json
View file

@ -8,7 +8,8 @@
],
"from": "now-30m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License",

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json
View file

@ -45,15 +45,9 @@
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1218/"
}
]
"technique": []
}
],
"type": "eql",
"version": 5
"version": 6
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1107",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1107/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.004",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1070/004/"
}
]
}
]
}
],
"type": "query",
"version": 4
"version": 5
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msbuild_making_network_connections.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json
View file

@ -26,9 +26,9 @@
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
@ -40,5 +40,5 @@
}
],
"type": "eql",
"version": 5
"version": 6
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1170",
"name": "Mshta",
"reference": "https://attack.mitre.org/techniques/T1170/"
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1218/",
"subtechnique": [
{
"id": "T1218.005",
"name": "Mshta",
"reference": "https://attack.mitre.org/techniques/T1218/005/"
}
]
}
]
}
],
"type": "eql",
"version": 1
"version": 2
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_msxsl_network.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json
View file

@ -26,9 +26,9 @@
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
@ -40,5 +40,5 @@
}
],
"type": "eql",
"version": 4
"version": 5
}

20
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Network Watcher Deletion",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
],
@ -39,13 +40,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 1
"version": 2
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_port_forwarding_added_registry.json
View file

@ -35,9 +35,16 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json
View file

@ -32,9 +32,16 @@
},
"technique": [
{
"id": "T1085",
"name": "Rundll32",
"reference": "https://attack.mitre.org/techniques/T1085/"
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1218/",
"subtechnique": [
{
"id": "T1218.011",
"name": "Rundll32",
"reference": "https://attack.mitre.org/techniques/T1218/011/"
}
]
}
]
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json
View file

@ -35,9 +35,16 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json
View file

@ -33,9 +33,16 @@
},
"technique": [
{
"id": "T1107",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1107/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.004",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1070/004/"
}
]
}
]
}

76
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json Normal file
View file

@ -0,0 +1,76 @@
{
"author": [
"Elastic"
],
"description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License",
"name": "SolarWinds Process Disabling Services via Registry",
"query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and registry.data.strings == \"4\" and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\", \n \"ConfigurationWizard*.exe\", \n \"NetflowDatabaseMaintenance*.exe\", \n \"NetFlowService*.exe\", \n \"SolarWinds.Administration*.exe\", \n \"SolarWinds.Collector.Service*.exe\" , \n \"SolarwindsDiagnostics*.exe\")\n",
"references": [
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
],
"risk_score": 47,
"rule_id": "b9960fef-82c6-4816-befa-44745030e917",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [
{
"id": "T1195",
"name": "Supply Chain Compromise",
"reference": "https://attack.mitre.org/techniques/T1195/",
"subtechnique": [
{
"id": "T1195.002",
"name": "Compromise Software Supply Chain",
"reference": "https://attack.mitre.org/techniques/T1195/002/"
}
]
}
]
}
],
"type": "eql",
"version": 1
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_stop_process_service_threshold.json
View file

@ -32,9 +32,16 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}

10
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json
View file

@ -30,15 +30,9 @@
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1064",
"name": "Scripting",
"reference": "https://attack.mitre.org/techniques/T1064/"
}
]
"technique": []
}
],
"type": "eql",
"version": 1
"version": 2
}

13
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json
View file

@ -34,9 +34,16 @@
},
"technique": [
{
"id": "T1099",
"name": "Timestomp",
"reference": "https://attack.mitre.org/techniques/T1099/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.006",
"name": "Timestomp",
"reference": "https://attack.mitre.org/techniques/T1070/006/"
}
]
}
]
}

20
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_network_connection_via_rundll32.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json
View file

@ -13,7 +13,6 @@
"name": "Unusual Network Connection via RunDLL32",
"query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where process.name : \"rundll32.exe\" and network.protocol != \"dns\" and network.direction == \"outgoing\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
"risk_score": 47,
"rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
"severity": "medium",
"tags": [
@ -27,15 +26,22 @@
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1085",
"name": "Rundll32",
"reference": "https://attack.mitre.org/techniques/T1085/"
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"reference": "https://attack.mitre.org/techniques/T1218/",
"subtechnique": [
{
"id": "T1218.011",
"name": "Rundll32",
"reference": "https://attack.mitre.org/techniques/T1218/011/"
}
]
}
]
}

8
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_unusual_process_network_connection.json → x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json
View file

@ -26,9 +26,9 @@
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
@ -40,5 +40,5 @@
}
],
"type": "eql",
"version": 5
"version": 6
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json
View file

@ -32,13 +32,20 @@
},
"technique": [
{
"id": "T1107",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1107/"
"id": "T1070",
"name": "Indicator Removal on Host",
"reference": "https://attack.mitre.org/techniques/T1070/",
"subtechnique": [
{
"id": "T1070.004",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1070/004/"
}
]
}
]
}
],
"type": "query",
"version": 5
"version": 6
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

15
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json
View file

@ -42,13 +42,20 @@
},
"technique": [
{
"id": "T1089",
"name": "Disabling Security Tools",
"reference": "https://attack.mitre.org/techniques/T1089/"
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"type": "query",
"version": 2
"version": 3
}

7
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json
View file

@ -8,13 +8,14 @@
],
"from": "now-25m",
"index": [
"filebeat-*"
"filebeat-*",
"logs-azure*"
],
"language": "kuery",
"license": "Elastic License",
"name": "Azure Blob Container Access Level Modification",
"note": "The Azure Filebeat module must be enabled to use this rule.",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success",
"query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:(Success or success)",
"references": [
"https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
],
@ -62,5 +63,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

Some files were not shown because too many files have changed in this diff Show more