maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[SIEM][Detection Engine] Final final rule changes (#56806)

Browse source 
## Summary

* Final, final, Rule changes

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
This commit is contained in:
Frank Hassanabad 2020-02-04 18:19:36 -07:00 committed by GitHub
parent 8a90e67489
commit fac6873054
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
115 changed files with 312 additions and 1094 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
NOTICE.txt
View file

@ -162,8 +162,6 @@ which is available under a "MIT" license. The files based on this license are:
- windows_priv_escalation_via_accessibility_features.json
- windows_persistence_via_application_shimming.json
- windows_execution_via_trusted_developer_utilities.json
- windows_execution_via_net_com_assemblies.json
- windows_execution_via_connection_manager.json
MIT License

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json
View file

@ -1,13 +1,13 @@
{
"description": "A POST request to web application returned a 403 response which indicates the web application declined to process the request because the action requested was disallowed.",
"description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed",
"false_positives": [
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity."
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
],
"index": [
"apm-*-transaction*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Web Application Suspicious Activity: POST Request Declined",
"query": "http.response.status_code:403 and http.request.method:post",
"references": [

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json
View file

@ -1,13 +1,13 @@
{
"description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method was not allowed for the resource.",
"description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource",
"false_positives": [
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity."
"Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
],
"index": [
"apm-*-transaction*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Web Application Suspicious Activity: Unauthorized Method",
"query": "http.response.status_code:405",
"references": [

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Adversary behavior detected.",
"description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Adversary Behavior - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
"risk_score": 47,

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json
View file

@ -1,11 +1,13 @@
{
"description": "Elastic Endpoint Security Alert - Credential dumping detected.",
"description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"name": "Cred Dumping - Detected - Elastic Endpoint",
"max_signals": 100,
"name": "Credential Dumping - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
"risk_score": 73,
"rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json
View file

@ -1,11 +1,13 @@
{
"description": "Elastic Endpoint Security Alert - Credential dumping prevented.",
"description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"name": "Cred Dumping - Prevented - Elastic Endpoint",
"max_signals": 100,
"name": "Credential Dumping - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
"risk_score": 47,
"rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json
View file

@ -1,11 +1,13 @@
{
"description": "Elastic Endpoint Security Alert - Credential manipulation detected.",
"description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"name": "Cred Manipulation - Detected - Elastic Endpoint",
"max_signals": 100,
"name": "Credential Manipulation - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
"risk_score": 73,
"rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",

11
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json
View file

@ -1,17 +1,20 @@
{
"description": "Elastic Endpoint Security Alert - Credential manipulation prevented.",
"description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"name": "Cred Manipulation - Prevented - Elastic Endpoint",
"max_signals": 100,
"name": "Credential Manipulation - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
"risk_score": 47,
"rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
"severity": "medium",
"tags": [
"Elastic"
"Elastic",
"Endpoint"
],
"type": "query",
"version": 1

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Exploit detected.",
"description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Exploit - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
"risk_score": 73,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Exploit prevented.",
"description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Exploit - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
"risk_score": 47,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Malware detected.",
"description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Malware - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
"risk_score": 99,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Malware prevented.",
"description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Malware - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention",
"risk_score": 73,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Permission theft detected.",
"description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Permission Theft - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection",
"risk_score": 73,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Permission theft prevented.",
"description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Permission Theft - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention",
"risk_score": 47,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Process injection detected.",
"description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Process Injection - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection",
"risk_score": 73,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Process injection prevented.",
"description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Process Injection - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention",
"risk_score": 47,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Ransomware detected.",
"description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Ransomware - Detected - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection",
"risk_score": 99,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json
View file

@ -1,10 +1,12 @@
{
"description": "Elastic Endpoint Security Alert - Ransomware prevented.",
"description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
"from": "now-660s",
"index": [
"endgame-*"
],
"interval": "10m",
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Ransomware - Prevented - Elastic Endpoint",
"query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention",
"risk_score": 73,

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json
View file

@ -1,10 +1,10 @@
{
"description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection",
"description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Adding Hidden File Attribute via Attrib",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Adobe Hijack Persistence",
"query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
"risk_score": 21,

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json
View file

@ -1,36 +0,0 @@
{
"description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Audio Capture via PowerShell",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"",
"risk_score": 21,
"rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1123",
"name": "Audio Capture",
"reference": "https://attack.mitre.org/techniques/T1123/"
}
]
}
],
"type": "query",
"version": 1
}

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json
View file

@ -1,36 +0,0 @@
{
"description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Audio Capture via SoundRecorder",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"",
"risk_score": 21,
"rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Collection",
"reference": "https://attack.mitre.org/tactics/TA0009/"
},
"technique": [
{
"id": "T1123",
"name": "Audio Capture",
"reference": "https://attack.mitre.org/techniques/T1123/"
}
]
}
],
"type": "query",
"version": 1
}

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Bypass UAC via Event Viewer",
"query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")",
"risk_score": 21,
"rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1088",
"name": "Bypass User Account Control",
"reference": "https://attack.mitre.org/techniques/T1088/"
}
]
}
],
"type": "query",
"version": 1
}

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies User Account Control (UAC) bypass via cmstp.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Bypass UAC via Cmstp",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")",
"risk_score": 21,
"rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1088",
"name": "Bypass User Account Control",
"reference": "https://attack.mitre.org/techniques/T1088/"
}
]
}
],
"type": "query",
"version": 1
}

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Bypass UAC via Sdclt",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")",
"risk_score": 21,
"rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1088",
"name": "Bypass User Account Control",
"reference": "https://attack.mitre.org/techniques/T1088/"
}
]
}
],
"type": "query",
"version": 1
}

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json
View file

@ -1,10 +1,10 @@
{
"description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.",
"description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Clearing Windows Event Logs",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Delete Volume USN Journal with Fsutil",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Deleting Backup Catalogs with Wbadmin",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Direct Outbound SMB Connection",
"query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")",
"risk_score": 47,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Disable Windows Firewall Rules via Netsh",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")",
"risk_score": 47,

51
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json
View file

@ -1,51 +0,0 @@
{
"description": "Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "DLL Search Order Hijack",
"query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ",
"risk_score": 47,
"rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716",
"severity": "medium",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1088",
"name": "Bypass User Account Control",
"reference": "https://attack.mitre.org/techniques/T1088/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1088",
"name": "Bypass User Account Control",
"reference": "https://attack.mitre.org/techniques/T1088/"
}
]
}
],
"type": "query",
"version": 1
}

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Encoding or Decoding Files via CertUtil",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")",
"risk_score": 47,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json
View file

@ -7,7 +7,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Local Scheduled Task Commands",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Local Service Commands",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")",
"risk_score": 21,

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Modification of Boot Configuration",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ",
"risk_score": 73,
"rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8",
"severity": "high",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1107",
"name": "File Deletion",
"reference": "https://attack.mitre.org/techniques/T1107/"
}
]
}
],
"type": "query",
"version": 1
}

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json
View file

@ -4,9 +4,9 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "MsBuild Making Network Connections",
"query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")",
"query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")",
"risk_score": 47,
"rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
"severity": "medium",

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json
View file

@ -4,9 +4,9 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Network Connection via Mshta",
"query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"",
"query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\"",
"references": [
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Network Connection via MsXsl",
"query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
"risk_score": 47,
"rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525",
"severity": "medium",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1220",
"name": "XSL Script Processing",
"reference": "https://attack.mitre.org/techniques/T1220/"
}
]
}
],
"type": "query",
"version": 1
}

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json
View file

@ -7,9 +7,9 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "PsExec Network Connection",
"query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ",
"query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ",
"risk_score": 21,
"rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
"severity": "low",

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Suspicious MS Office Child Process",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Suspicious MS Outlook Child Process",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
"risk_score": 21,

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Suspicious PDF Reader Child Process",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
"risk_score": 73,
"rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f",
"severity": "high",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193/"
}
]
}
],
"type": "query",
"version": 1
}

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "System Shells via Services",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")",
"risk_score": 47,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Unusual Network Connection via RunDLL32",
"query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Unusual Parent-Child Relationship ",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )",
"risk_score": 47,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Unusual Process Network Connection",
"query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
"risk_score": 21,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "User Account Creation",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ",
"risk_score": 21,

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies attempts to add a user to an administrative group with the \"net.exe\" command. This is sometimes done by attackers to increase access of a compromised account or create new account.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "User Added to Administrator Group",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ",
"risk_score": 47,
"rule_id": "4426de6f-6103-44aa-a77e-49d672836c27",
"severity": "medium",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1098",
"name": "Account Manipulation",
"reference": "https://attack.mitre.org/techniques/T1098/"
}
]
}
],
"type": "query",
"version": 1
}

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Volume Shadow Copy Deletion via VssAdmin",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ",
"risk_score": 73,

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json
View file

@ -4,9 +4,9 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Volume Shadow Copy Deletion via WMIC",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"WMIC.exe\" and process.args:(\"shadowcopy\" and \"delete\")",
"risk_score": 73,
"rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
"severity": "high",

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json
View file

@ -4,7 +4,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Windows Script Executing PowerShell",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
"risk_score": 21,

39
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json
View file

@ -1,39 +0,0 @@
{
"description": "Identifies use of wmic.exe to run commands on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
"false_positives": [
"The WMIC utility provides a command-line interface for WMI, which can be used for an array of administrative capabilities. It's important to baseline your environment to determine any abnormal use of this tool."
],
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "WMIC Command Lateral Movement",
"query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")",
"risk_score": 21,
"rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0008",
"name": "Lateral Movement",
"reference": "https://attack.mitre.org/tactics/TA0008/"
},
"technique": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"reference": "https://attack.mitre.org/techniques/T1047/"
}
]
}
],
"type": "query",
"version": 1
}

186
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file

@ -26,99 +26,79 @@ import rule16 from './elastic_endpoint_security_ransomware_detected.json';
import rule17 from './elastic_endpoint_security_ransomware_prevented.json';
import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json';
import rule19 from './eql_adobe_hijack_persistence.json';
import rule20 from './eql_audio_capture_via_powershell.json';
import rule21 from './eql_audio_capture_via_soundrecorder.json';
import rule22 from './eql_bypass_uac_event_viewer.json';
import rule23 from './eql_bypass_uac_via_cmstp.json';
import rule24 from './eql_bypass_uac_via_sdclt.json';
import rule25 from './eql_clearing_windows_event_logs.json';
import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json';
import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json';
import rule28 from './eql_direct_outbound_smb_connection.json';
import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json';
import rule30 from './eql_dll_search_order_hijack.json';
import rule31 from './eql_encoding_or_decoding_files_via_certutil.json';
import rule32 from './eql_local_scheduled_task_commands.json';
import rule33 from './eql_local_service_commands.json';
import rule34 from './eql_modification_of_boot_configuration.json';
import rule35 from './eql_msbuild_making_network_connections.json';
import rule36 from './eql_mshta_making_network_connections.json';
import rule37 from './eql_msxsl_making_network_connections.json';
import rule38 from './eql_psexec_lateral_movement_command.json';
import rule39 from './eql_suspicious_ms_office_child_process.json';
import rule40 from './eql_suspicious_ms_outlook_child_process.json';
import rule41 from './eql_suspicious_pdf_reader_child_process.json';
import rule42 from './eql_system_shells_via_services.json';
import rule43 from './eql_unusual_network_connection_via_rundll32.json';
import rule44 from './eql_unusual_parentchild_relationship.json';
import rule45 from './eql_unusual_process_network_connection.json';
import rule46 from './eql_user_account_creation.json';
import rule47 from './eql_user_added_to_administrator_group.json';
import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json';
import rule50 from './eql_windows_script_executing_powershell.json';
import rule51 from './eql_wmic_command_lateral_movement.json';
import rule52 from './linux_hping_activity.json';
import rule53 from './linux_iodine_activity.json';
import rule54 from './linux_kernel_module_activity.json';
import rule55 from './linux_ldso_process_activity.json';
import rule56 from './linux_mknod_activity.json';
import rule57 from './linux_netcat_network_connection.json';
import rule58 from './linux_nmap_activity.json';
import rule59 from './linux_nping_activity.json';
import rule60 from './linux_process_started_in_temp_directory.json';
import rule61 from './linux_shell_activity_by_web_server.json';
import rule62 from './linux_socat_activity.json';
import rule63 from './linux_strace_activity.json';
import rule64 from './linux_tcpdump_activity.json';
import rule65 from './linux_whoami_commmand.json';
import rule66 from './network_dns_directly_to_the_internet.json';
import rule67 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
import rule68 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
import rule69 from './network_nat_traversal_port_activity.json';
import rule70 from './network_port_26_activity.json';
import rule71 from './network_port_8000_activity_to_the_internet.json';
import rule72 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
import rule73 from './network_proxy_port_activity_to_the_internet.json';
import rule74 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
import rule75 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
import rule76 from './network_rpc_remote_procedure_call_from_the_internet.json';
import rule77 from './network_rpc_remote_procedure_call_to_the_internet.json';
import rule78 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
import rule79 from './network_smtp_to_the_internet.json';
import rule80 from './network_sql_server_port_activity_to_the_internet.json';
import rule81 from './network_ssh_secure_shell_from_the_internet.json';
import rule82 from './network_ssh_secure_shell_to_the_internet.json';
import rule83 from './network_telnet_port_activity.json';
import rule84 from './network_tor_activity_to_the_internet.json';
import rule85 from './network_vnc_virtual_network_computing_from_the_internet.json';
import rule86 from './network_vnc_virtual_network_computing_to_the_internet.json';
import rule87 from './null_user_agent.json';
import rule88 from './sqlmap_user_agent.json';
import rule89 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
import rule90 from './windows_certutil_connecting_to_the_internet.json';
import rule91 from './windows_command_prompt_connecting_to_the_internet.json';
import rule92 from './windows_command_shell_started_by_internet_explorer.json';
import rule93 from './windows_command_shell_started_by_powershell.json';
import rule94 from './windows_command_shell_started_by_svchost.json';
import rule95 from './windows_defense_evasion_via_filter_manager.json';
import rule96 from './windows_execution_via_compiled_html_file.json';
import rule97 from './windows_execution_via_connection_manager.json';
import rule98 from './windows_execution_via_net_com_assemblies.json';
import rule99 from './windows_execution_via_regsvr32.json';
import rule100 from './windows_execution_via_trusted_developer_utilities.json';
import rule101 from './windows_html_help_executable_program_connecting_to_the_internet.json';
import rule102 from './windows_misc_lolbin_connecting_to_the_internet.json';
import rule103 from './windows_net_command_activity_by_the_system_account.json';
import rule104 from './windows_persistence_via_application_shimming.json';
import rule105 from './windows_priv_escalation_via_accessibility_features.json';
import rule106 from './windows_process_discovery_via_tasklist_command.json';
import rule107 from './windows_process_execution_via_wmi.json';
import rule108 from './windows_register_server_program_connecting_to_the_internet.json';
import rule109 from './windows_signed_binary_proxy_execution.json';
import rule110 from './windows_signed_binary_proxy_execution_download.json';
import rule111 from './windows_suspicious_process_started_by_a_script.json';
import rule112 from './windows_whoami_command_activity.json';
import rule20 from './eql_clearing_windows_event_logs.json';
import rule21 from './eql_delete_volume_usn_journal_with_fsutil.json';
import rule22 from './eql_deleting_backup_catalogs_with_wbadmin.json';
import rule23 from './eql_direct_outbound_smb_connection.json';
import rule24 from './eql_disable_windows_firewall_rules_with_netsh.json';
import rule25 from './eql_encoding_or_decoding_files_via_certutil.json';
import rule26 from './eql_local_scheduled_task_commands.json';
import rule27 from './eql_local_service_commands.json';
import rule28 from './eql_msbuild_making_network_connections.json';
import rule29 from './eql_mshta_making_network_connections.json';
import rule30 from './eql_psexec_lateral_movement_command.json';
import rule31 from './eql_suspicious_ms_office_child_process.json';
import rule32 from './eql_suspicious_ms_outlook_child_process.json';
import rule33 from './eql_system_shells_via_services.json';
import rule34 from './eql_unusual_network_connection_via_rundll32.json';
import rule35 from './eql_unusual_parentchild_relationship.json';
import rule36 from './eql_unusual_process_network_connection.json';
import rule37 from './eql_user_account_creation.json';
import rule38 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
import rule39 from './eql_volume_shadow_copy_deletion_via_wmic.json';
import rule40 from './eql_windows_script_executing_powershell.json';
import rule41 from './linux_hping_activity.json';
import rule42 from './linux_iodine_activity.json';
import rule43 from './linux_kernel_module_activity.json';
import rule44 from './linux_mknod_activity.json';
import rule45 from './linux_netcat_network_connection.json';
import rule46 from './linux_nmap_activity.json';
import rule47 from './linux_nping_activity.json';
import rule48 from './linux_process_started_in_temp_directory.json';
import rule49 from './linux_shell_activity_by_web_server.json';
import rule50 from './linux_socat_activity.json';
import rule51 from './linux_strace_activity.json';
import rule52 from './linux_tcpdump_activity.json';
import rule53 from './linux_whoami_commmand.json';
import rule54 from './network_dns_directly_to_the_internet.json';
import rule55 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
import rule56 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
import rule57 from './network_nat_traversal_port_activity.json';
import rule58 from './network_port_26_activity.json';
import rule59 from './network_port_8000_activity_to_the_internet.json';
import rule60 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
import rule61 from './network_proxy_port_activity_to_the_internet.json';
import rule62 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
import rule63 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
import rule64 from './network_rpc_remote_procedure_call_from_the_internet.json';
import rule65 from './network_rpc_remote_procedure_call_to_the_internet.json';
import rule66 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
import rule67 from './network_smtp_to_the_internet.json';
import rule68 from './network_sql_server_port_activity_to_the_internet.json';
import rule69 from './network_ssh_secure_shell_from_the_internet.json';
import rule70 from './network_ssh_secure_shell_to_the_internet.json';
import rule71 from './network_telnet_port_activity.json';
import rule72 from './network_tor_activity_to_the_internet.json';
import rule73 from './network_vnc_virtual_network_computing_from_the_internet.json';
import rule74 from './network_vnc_virtual_network_computing_to_the_internet.json';
import rule75 from './null_user_agent.json';
import rule76 from './sqlmap_user_agent.json';
import rule77 from './windows_command_prompt_connecting_to_the_internet.json';
import rule78 from './windows_command_shell_started_by_powershell.json';
import rule79 from './windows_command_shell_started_by_svchost.json';
import rule80 from './windows_defense_evasion_via_filter_manager.json';
import rule81 from './windows_execution_via_compiled_html_file.json';
import rule82 from './windows_execution_via_regsvr32.json';
import rule83 from './windows_execution_via_trusted_developer_utilities.json';
import rule84 from './windows_html_help_executable_program_connecting_to_the_internet.json';
import rule85 from './windows_misc_lolbin_connecting_to_the_internet.json';
import rule86 from './windows_persistence_via_application_shimming.json';
import rule87 from './windows_priv_escalation_via_accessibility_features.json';
import rule88 from './windows_process_discovery_via_tasklist_command.json';
import rule89 from './windows_register_server_program_connecting_to_the_internet.json';
import rule90 from './windows_signed_binary_proxy_execution.json';
import rule91 from './windows_suspicious_process_started_by_a_script.json';
import rule92 from './windows_whoami_command_activity.json';
export const rawRules = [
rule1,
rule2,
@ -212,24 +192,4 @@ export const rawRules = [
rule90,
rule91,
rule92,
rule93,
rule94,
rule95,
rule96,
rule97,
rule98,
rule99,
rule100,
rule101,
rule102,
rule103,
rule104,
rule105,
rule106,
rule107,
rule108,
rule109,
rule110,
rule111,
rule112,
];

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json
View file

@ -1,5 +1,5 @@
{
"description": "Hping ran on a Linux host. Hping is FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications including scanning and firewall auditing.",
"description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.",
"false_positives": [
"Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
],
@ -7,9 +7,9 @@
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Hping Process Activity",
"query": "process.name: hping and event.action:executed",
"query": "process.name: (hping3 or hping2 or hping) and event.action:executed",
"references": [
"https://en.wikipedia.org/wiki/Hping"
],

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json
View file

@ -1,5 +1,5 @@
{
"description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol in order to circumvent firewalls, network security groups or network access lists while evading detection.",
"description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
"false_positives": [
"Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
],
@ -7,7 +7,7 @@
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Potential DNS Tunneling via Iodine",
"query": "process.name: (iodine or iodined) and event.action:executed",
"references": [

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json
View file

@ -1,5 +1,5 @@
{
"description": "Identifies loadable kernel module errors, often indicative of potential persistence attempts.",
"description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.",
"false_positives": [
"Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon."
],
@ -7,7 +7,7 @@
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Persistence via Kernel Module Modification",
"query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed",
"references": [

22
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json
View file

@ -1,22 +0,0 @@
{
"description": "The dynamic linker, ld.so, runs in a privileged context and can be used to escape restrictive environments by spawning a shell in order to elevate privileges or move laterally.",
"false_positives": [
"ld.so is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or administrators. Use of ld.so by non-engineers or ordinary users is uncommon."
],
"index": [
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Ld.so Process Activity",
"query": "process.name:ld.so and event.action:executed",
"risk_score": 21,
"rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f",
"severity": "low",
"tags": [
"Elastic",
"Linux"
],
"type": "query",
"version": 1
}

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json
View file

@ -1,13 +1,13 @@
{
"description": "The Linux mknod program is sometimes used in the command payload of remote command injection (RCI) and other exploits to export a command shell when the traditional version of netcat is not available to the payload.",
"description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.",
"false_positives": [
"Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious."
"Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
],
"index": [
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Mknod Process Activity",
"query": "process.name: mknod and event.action:executed",
"references": [

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json
View file

@ -1,13 +1,13 @@
{
"description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. ",
"description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.",
"false_positives": [
"Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools and frameworks."
"Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
],
"index": [
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Netcat Network Activity",
"query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)",
"references": [

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json
View file

@ -1,13 +1,13 @@
{
"description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.",
"description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.",
"false_positives": [
"Security testing tools and frameworks may run nmap in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon."
"Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon."
],
"index": [
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Nmap Process Activity",
"query": "process.name: nmap",
"references": [

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json
View file

@ -1,13 +1,13 @@
{
"description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications including denial of service testing.",
"description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.",
"false_positives": [
"Some normal use of this command may originate from security engineers and network or server administrators but this is usually not routine or unannounced. Use of nping by non-engineers or ordinary users is uncommon."
"Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
],
"index": [
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Nping Process Activity",
"query": "process.name: nping and event.action:executed",
"references": [

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json
View file

@ -1,13 +1,13 @@
{
"description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.",
"false_positives": [
"Build systems like Jenkins may start processes in the /tmp directory. These can be exempted by name or by username."
"Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
],
"index": [
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Unusual Process Execution - Temp",
"query": "process.working_directory: /tmp and event.action:executed",
"risk_score": 47,

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json
View file

@ -7,9 +7,9 @@
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Potential Shell via Web Server",
"query": "process.name: bash and (user.name: apache or www) and event.action:executed",
"query": "process.name: bash and user.name: (apache or www or \"wwww-data\") and event.action:executed",
"references": [
"https://pentestlab.blog/tag/web-shell/"
],

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json
View file

@ -1,13 +1,13 @@
{
"description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. ",
"description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.",
"false_positives": [
"Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious."
"Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
],
"index": [
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Socat Process Activity",
"query": "process.name:socat and not process.args:\"-V\" and event.action:executed",
"references": [

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json
View file

@ -7,7 +7,7 @@
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Strace Process Activity",
"query": "process.name: strace and event.action:executed",
"references": [

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json
View file

@ -1,5 +1,5 @@
{
"description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet 'sniffing' tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.",
"description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.",
"false_positives": [
"Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
],
@ -7,7 +7,7 @@
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Network Sniffing via Tcpdump",
"query": "process.name: tcpdump and event.action:executed",
"risk_score": 21,

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json
View file

@ -1,5 +1,5 @@
{
"description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.",
"description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.",
"false_positives": [
"Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks."
],
@ -7,7 +7,7 @@
"auditbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "User Discovery via Whoami",
"query": "process.name: whoami and event.action:executed",
"risk_score": 21,

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects internal network client sending DNS traffic directly to the Internet.\nThis is atypical behavior for a managed network and can be indicative of malware,\nexfiltration, command and control or simply misconfiguration. This also impacts your\norganization's ability to provide enterprise monitoring and logging of DNS and opens\nyour network to a variety of abuses or malicious communications.\n",
"description": "This rule detects when an internal network client sends DNS traffic directly to the Internet.\nThis is atypical behavior for a managed network, and can be indicative of malware,\nexfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your\norganization's ability to provide enterprise monitoring and logging of DNS, and opens\nyour network to a variety of abuses and malicious communications.\n",
"false_positives": [
"DNS servers should be excluded from this rule as this is expected behavior for them. Endpoints usually query local DNS servers defined in their DHCP scopes but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it would tend to break intra-net name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations; in that case, such devices or networks can be excluded from this rule if this is expected behavior."
"Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "DNS Activity to the Internet",
"query": "destination.port:53 and (\n network.direction: outbound or (\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\\:\\:fb or 255.255.255.255 )\n )\n)\n",
"references": [
@ -22,7 +22,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects events that may indicate the use of FTP network connections to the Internet.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980's. It can be an efficient and normal procedure on your network to send and\nreceive files. Because it is common and efficient, adversaries will also often\nuse this protocol to ex-filtrate data from your network or download new tools.\nAdditionally, FTP is a plain-text protocol which may expose your user name and\npassword, if intercepted. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.\n",
"description": "This rule detects events that may indicate the use of FTP network connections to the Internet.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980s. It can be a common and efficient procedure on your network to send and\nreceive files. Because of this, adversaries will also often use this protocol\nto exfiltrate data from your network or download new tools. Additionally, FTP\nis a plain-text protocol which, if intercepted, may expose usernames and\npasswords. FTP activity involving servers subject to regulations or compliance\nstandards may be unauthorized.\n",
"false_positives": [
"FTP servers should be excluded from this rule as this is expected behavior for them. Some business work-flows may use FTP for data exchange. These work-flows often have expected characteristics such as users, sources and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP work-flow or business requirement is often suspicious. NEW NEW"
"FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "FTP (File Transfer Protocol) Activity to the Internet",
"query": "network.transport: tcp and destination.port: (20 or 21) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 21,
@ -18,7 +18,7 @@
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects events that use common ports for IRC to the Internet. IRC (Internet Relay Chat)\nis a common protocol that can be used chat and file transfer. This protocol\nalso makes a good candidate for remote control of malware and data transfer in\nand out of a network.\n",
"description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet.\nIRC is a common protocol that can be used for chat and file transfers. This\nprotocol is also a good candidate for remote control of malware and data\ntransfers to and from a network.\n",
"false_positives": [
"IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATted web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some legacy applications may use these ports but this is very uncommon and usually appears only in local traffic using private IPs which this rule does not match."
"IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"query": "network.transport: tcp and destination.port:(6667 or 6697) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects events that could be describing IPSEC NAT Traversal traffic.\nIPSEC is a VPN technology that allows one system to talk to another using\nencrypted tunnels. NAT Traversal enables these tunnels to communicate over\nthe Internet where one of the sides is behind a NAT router gateway. This may\nbe common on your network, but this technique is also used by threat actors\nto avoid detection.\n",
"description": "This rule detects events that could be describing IPSEC NAT Traversal traffic.\nIPSEC is a VPN technology that allows one system to talk to another using\nencrypted tunnels. NAT Traversal enables these tunnels to communicate over the\nInternet where one of the sides is behind a NAT router gateway. This may be\ncommon on your network, but this technique is also used by threat actors to\navoid detection.\n",
"false_positives": [
"Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions such as when a application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded if desired."
"Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "IPSEC NAT Traversal Port Activity",
"query": "network.transport: udp and destination.port: 4500",
"risk_score": 21,
@ -18,7 +18,7 @@
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

10
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json
View file

@ -1,18 +1,18 @@
{
"description": "This signal detects events that may indicate use of SMTP on TCP port 26. This\nport is commonly used by several popular mail transfer agents to deconflict\nwith the default SMTP port 25. This port has also been used by a malware family\ncalled BadPatch for command and control of Windows systems.\n",
"description": "This rule detects events that may indicate use of SMTP on TCP port 26. This\nport is commonly used by several popular mail transfer agents to deconflict\nwith the default SMTP port 25. This port has also been used by a malware family\ncalled BadPatch for command and control of Windows systems.\n",
"false_positives": [
"Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior for them."
"Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "SMTP on Port 26/TCP",
"query": "network.transport: tcp and destination.port: 26",
"query": "network.transport: tcp and destination.port: 26\n",
"references": [
"https://unit42.paloaltonetworks.com/unit42-badpatch/",
"https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
@ -22,7 +22,7 @@
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you are\nrunning software like this on the Internet, you should consider placing it behind\na reverse proxy.\n",
"false_positives": [
"Because this port is in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
"Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "TCP Port 8000 Activity to the Internet",
"query": "network.transport: tcp and destination.port: 8000 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 21,
@ -18,7 +18,7 @@
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

10
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json
View file

@ -1,24 +1,24 @@
{
"description": "This signal detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.",
"description": "This rule detects events that may indicate use of a PPTP VPN connection. Some\nthreat actors use these types of connections to tunnel their traffic while\navoiding detection.\n",
"false_positives": [
"Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions such as when an application server with replies to a client which has used this port by coincidence. This is uncommon but such servers can be excluded if desired."
"Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "PPTP (Point to Point Tunneling Protocol) Activity",
"query": "network.transport: tcp and destination.port: 1723",
"query": "network.transport: tcp and destination.port: 1723\n",
"risk_score": 21,
"rule_id": "d2053495-8fe7-4168-b3df-dad844046be3",
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects events that may describe network events of proxy use to the\nInternet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically\nenvironments will use an internal IP address for a proxy server. It can also\nbe used to circumvent network controls and detection mechanisms.\n",
"description": "This rule detects events that may describe network events of proxy use to the\nInternet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically,\nenvironments will use an internal IP address for a proxy server. It can also\nbe used to circumvent network controls and detection mechanisms.\n",
"false_positives": [
"Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
"Some proxied applications may use these ports but this usually occurs in local traffic using private IPs\n which this rule does not match. Proxies are widely used as a security technology but in enterprise environments\n this is usually local traffic which this rule does not match. Internet proxy services using these ports can be\n white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving\n an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or\n direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in\n the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a\n client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "Proxy Port Activity to the Internet",
"query": "network.transport: tcp and destination.port: (3128 or 8080 or 1080) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"false_positives": [
"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
" Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to\n server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the\n Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump\n servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may\n be required by some work-flows such as remote access and support for specialized software products and\n servers. Such work-flows are usually known and not unexpected."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "RDP (Remote Desktop Protocol) from the Internet",
"query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"false_positives": [
"RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
"RDP connections may be made directly to Internet destinations in order to access\n Windows cloud server instances but such connections are usually made only by engineers.\n In such cases, only RDP gateways, bastions or jump servers may be expected Internet\n destinations and can be exempted from this rule. RDP may be required by some work-flows\n such as remote access and support for specialized software products and servers. Such\n work-flows are usually known and not unexpected. Usage that is unfamiliar to server or\n network owners can be unexpected and suspicious."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "RDP (Remote Desktop Protocol) to the Internet",
"query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 21,
@ -18,7 +18,7 @@
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json
View file

@ -1,13 +1,13 @@
{
"description": "This signal detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "RPC (Remote Procedure Call) from the Internet",
"query": "network.transport: tcp and destination.port: 135 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 73,
@ -15,7 +15,7 @@
"severity": "high",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json
View file

@ -1,13 +1,13 @@
{
"description": "This signal detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "RPC (Remote Procedure Call) to the Internet",
"query": "network.transport: tcp and destination.port: 135 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 73,
@ -15,7 +15,7 @@
"severity": "high",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json
View file

@ -1,13 +1,13 @@
{
"description": "This signal detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targeted and exploited by threat actors as an initial access\nor back-door vector or for data exfiltration.\n",
"description": "This rule detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targeted and exploited by threat actors as an initial access\nor back-door vector or for data exfiltration.\n",
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "SMB (Windows File Sharing) Activity to the Internet",
"query": "network.transport: tcp and destination.port: (139 or 445) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 73,
@ -15,7 +15,7 @@
"severity": "high",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects events that may describe SMTP traffic from internal\nhosts to a host across the Internet. In an enterprise network, there is typically\na dedicate host that is internal that could perform this function. It is also\nfrequently abused by threat actors for command and control or data exfiltration.\n",
"description": "This rule detects events that may describe SMTP traffic from internal\nhosts to a host across the Internet. In an enterprise network, there is typically\na dedicated internal host that performs this function. It is also\nfrequently abused by threat actors for command and control, or data exfiltration.\n",
"false_positives": [
"NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and / or personal devices may send email traffic to remote Internet destinations; in that case, such devices or networks can be excluded from this rule if this is expected behavior."
"NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "SMTP to the Internet",
"query": "network.transport: tcp and destination.port: (25 or 465 or 587) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 21,
@ -18,7 +18,7 @@
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects events that may describe database traffic\n(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases\nshould almost never be directly exposed to the Internet, as they are\nfrequently targeted by threat actors to gain initial access to network resources.\n",
"description": "This rule detects events that may describe database traffic\n(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases\nshould almost never be directly exposed to the Internet, as they are\nfrequently targeted by threat actors to gain initial access to network resources.\n",
"false_positives": [
"Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
"Because these ports are in the ephemeral range, this rule may false under certain conditions\n such as when a NATed web server replies to a client which has used a port in the range by\n coincidence. In this case, such servers can be excluded if desired. Some cloud environments may\n use this port when VPNs or direct connects are not in use and database instances are accessed\n directly across the Internet."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "SQL Traffic to the Internet",
"query": "network.transport: tcp and destination.port: (1433 or 1521 or 3336 or 5432) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"false_positives": [
"Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
"Some network security policies allow SSH directly from the Internet but usage that is\n unfamiliar to server or network owners can be unexpected and suspicious. SSH services may\n be exposed directly to the Internet in some networks such as cloud environments. In such\n cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to\n the Internet and can be exempted from this rule. SSH may be required by some work-flows\n such as remote access and support for specialized software products and servers. Such\n work-flows are usually known and not unexpected."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "SSH (Secure Shell) from the Internet",
"query": "network.transport: tcp and destination.port:22 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"false_positives": [
"SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
"SSH connections may be made directly to Internet destinations in order to access Linux\n cloud server instances but such connections are usually made only by engineers. In such cases,\n only SSH gateways, bastions or jump servers may be expected Internet destinations and can be\n exempted from this rule. SSH may be required by some work-flows such as remote access and support\n for specialized software products and servers. Such work-flows are usually known and not unexpected.\n Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "SSH (Secure Shell) to the Internet",
"query": "network.transport: tcp and destination.port:22 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 21,
@ -18,7 +18,7 @@
"severity": "low",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embed ed\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targeted and exploited by threat actors as an\ninitial access or back-door vector. As a plain-text protocol, it may also expose\n",
"description": "This rule detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embed ed\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targeted and exploited by threat actors as an\ninitial access or back-door vector. As a plain-text protocol, it may also expose\nusernames and passwords to anyone capable of observing the traffic.\n",
"false_positives": [
"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
"IoT (Internet of Things) devices and networks may use telnet and can be excluded if\n desired. Some business work-flows may use Telnet for administration of older devices. These\n often have a predictable behavior. Telnet activity involving an unusual source or destination\n may be more suspicious. Telnet activity involving a production server that has no known\n associated Telnet work-flow or business requirement is often suspicious."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "Telnet Port Activity",
"query": "network.transport: tcp and destination.port: 23",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's identity and avoid detection.\n",
"description": "This rule detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's identity and avoid detection.\n",
"false_positives": [
"Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired."
"Tor client activity is uncommon in managed enterprise networks but may be common\n in unmanaged or public networks where few security policies apply. Because these ports\n are in the ephemeral range, this rule may false under certain conditions such as when a\n NATed web server replies to a client which has used one of these ports by coincidence.\n In this case, such servers can be excluded if desired."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "Tor Activity to the Internet",
"query": "network.transport: tcp and destination.port: (9001 or 9030) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"false_positives": [
"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
"VNC connections may be received directly to Linux cloud server instances but\n such connections are usually made only by engineers. VNC is less common than SSH\n or RDP but may be required by some work-flows such as remote access and support\n for specialized software products or servers. Such work-flows are usually known\n and not unexpected. Usage that is unfamiliar to server or network owners can be\n unexpected and suspicious."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "VNC (Virtual Network Computing) from the Internet",
"query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 73,
@ -18,7 +18,7 @@
"severity": "high",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json
View file

@ -1,16 +1,16 @@
{
"description": "This signal detects network events that may indicate the use of VNC traffic\nto the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n",
"description": "This rule detects network events that may indicate the use of VNC traffic\nto the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.",
"false_positives": [
"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
"VNC connections may be made directly to Linux cloud server instances but such\n connections are usually made only by engineers. VNC is less common than SSH or RDP\n but may be required by some work flows such as remote access and support for\n specialized software products or servers. Such work-flows are usually known and not\n unexpected. Usage that is unfamiliar to server or network owners can be unexpected\n and suspicious."
],
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"packetbeat-*",
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "VNC (Virtual Network Computing) to the Internet",
"query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"risk_score": 47,
@ -18,7 +18,7 @@
"severity": "medium",
"tags": [
"Elastic",
"network"
"Network"
],
"threat": [
{

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts
View file

@ -9,8 +9,6 @@
* - windows_priv_escalation_via_accessibility_features.json
* - windows_persistence_via_application_shimming.json
* - windows_execution_via_trusted_developer_utilities.json
* - windows_execution_via_net_com_assemblies.json
* - windows_execution_via_connection_manager.json
*
* MIT License
*

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json
View file

@ -1,7 +1,7 @@
{
"description": "A request to a web application server contained no identifying user agent string.",
"false_positives": [
"Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity."
"Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
],
"filters": [
{
@ -25,7 +25,7 @@
"apm-*-transaction*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Web Application Suspicious Activity: No User Agent",
"query": "url.path: *",
"references": [

5
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json
View file

@ -1,12 +1,13 @@
{
"description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11 which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. ",
"description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
"false_positives": [
"This signal does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
"This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
],
"index": [
"apm-*-transaction*"
],
"language": "kuery",
"max_signals": 100,
"name": "Web Application Suspicious Activity: sqlmap User Agent",
"query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
"references": [

51
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json
View file

@ -1,51 +0,0 @@
{
"description": "Adversaries may abuse the Background Intelligent Transfer Service (BITS) to download, execute, or clean up after performing a malicious action.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Background Intelligent Transfer Service (BITS) connecting to the Internet",
"query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
"risk_score": 21,
"rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1197",
"name": "BITS Jobs",
"reference": "https://attack.mitre.org/techniques/T1197/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1197",
"name": "BITS Jobs",
"reference": "https://attack.mitre.org/techniques/T1197/"
}
]
}
],
"type": "query",
"version": 1
}

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Certutil Network Connection",
"query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
"risk_score": 21,
"rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1105",
"name": "Remote File Copy",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
}
],
"type": "query",
"version": 1
}

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json
View file

@ -7,7 +7,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Command Prompt Network Connection",
"query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
"risk_score": 21,

36
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json
View file

@ -1,36 +0,0 @@
{
"description": "Identifies a suspicious parent child process relationship with cmd.exe spawning form Internet Explorer.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Internet Explorer spawning cmd.exe",
"query": "process.parent.name:iexplore.exe and process.name:cmd.exe",
"risk_score": 21,
"rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06",
"severity": "low",
"tags": [
"Elastic",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command-Line Interface",
"reference": "https://attack.mitre.org/techniques/T1059/"
}
]
}
],
"type": "query",
"version": 1
}

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json
View file

@ -4,8 +4,8 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "PowerShell spawning cmd.exe",
"max_signals": 100,
"name": "PowerShell spawning Cmd",
"query": "process.parent.name:powershell.exe and process.name:cmd.exe",
"risk_score": 21,
"rule_id": "0f616aee-8161-4120-857e-742366f5eeb3",

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json
View file

@ -4,8 +4,8 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Svchost spawning cmd.exe",
"max_signals": 100,
"name": "Svchost spawning Cmd",
"query": "process.parent.name:svchost.exe and process.name:cmd.exe",
"risk_score": 21,
"rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",

5
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json
View file

@ -4,15 +4,14 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Potential Evasion via Filter Manager",
"query": "event.code:1 and process.name:fltmc.exe",
"query": "event.code:1 and process.name:fltMC.exe",
"risk_score": 21,
"rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
"severity": "low",
"tags": [
"Elastic",
"D-SA",
"Windows"
],
"threat": [

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json
View file

@ -7,7 +7,7 @@
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"max_signals": 100,
"name": "Process Activity via Compiled HTML File",
"query": "event.code:1 and process.name:hh.exe",
"risk_score": 21,

37
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json
View file

@ -1,37 +0,0 @@
{
"description": "Various Windows utilities may be used to execute commands, possibly without invoking cmd.exe, including the Program Compatibility Assistant (pcalua.exe) or forfiles.exe.",
"index": [
"winlogbeat-*"
],
"language": "kuery",
"max_signals": 33,
"name": "Indirect Command Execution",
"query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)",
"risk_score": 21,
"rule_id": "f2728299-167a-489c-913c-2e0955ac3c40",
"severity": "low",
"tags": [
"Elastic",
"D-SA",
"Windows"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1202",
"name": "Indirect Command Execution",
"reference": "https://attack.mitre.org/techniques/T1202/"
}
]
}
],
"type": "query",
"version": 1
}

Some files were not shown because too many files have changed in this diff Show more