diff --git a/.github/ISSUE_TEMPLATE/new_meta.yaml b/.github/ISSUE_TEMPLATE/new_meta.yaml index 18a14632ab4..dc11e125f0b 100644 --- a/.github/ISSUE_TEMPLATE/new_meta.yaml +++ b/.github/ISSUE_TEMPLATE/new_meta.yaml @@ -37,7 +37,7 @@ body: - type: textarea attributes: label: Tasking - value: "```[tasklist]\n### Meta Tasks\n- [ ] Provide Week 1 Update Comment\n- [ ] Provide Week 2 Update or Closeout Comment\n```" + value: "\n### Meta Tasks\n- [ ] Provide Week 1 Update Comment\n- [ ] Provide Week 2 Update or Closeout Comment\n" render: - type: textarea diff --git a/.github/workflows/attack-coverage-update.yml b/.github/workflows/attack-coverage-update.yml index 22110811427..6dd98c441af 100644 --- a/.github/workflows/attack-coverage-update.yml +++ b/.github/workflows/attack-coverage-update.yml @@ -45,7 +45,7 @@ jobs: git add docs-dev/"ATT\&CK-coverage.md" - name: Create Pull Request - uses: peter-evans/create-pull-request@v7.0.3 + uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3 with: assignees: '${{github.actor}}' delete-branch: true diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml new file mode 100644 index 00000000000..9f764311669 --- /dev/null +++ b/.github/workflows/docs-build.yml @@ -0,0 +1,23 @@ +name: docs-build + +on: + push: + branches: + - main + pull_request_target: ~ + +jobs: + preview: + uses: elastic/docs-builder/.github/workflows/preview-build.yml@main + with: + continue-on-error: false + strict: true + path-pattern: | + docs/** + rules/** + rules_building_block/** + permissions: + deployments: write + id-token: write + contents: read + pull-requests: read diff --git a/.github/workflows/docs-cleanup.yml b/.github/workflows/docs-cleanup.yml new file mode 100644 index 00000000000..17c4a06e4b3 --- /dev/null +++ b/.github/workflows/docs-cleanup.yml @@ -0,0 +1,14 @@ +name: docs-cleanup + +on: + pull_request_target: + types: + - closed + +jobs: + preview: + uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main + permissions: + contents: none + id-token: write + deployments: write diff --git a/.github/workflows/kibana-mitre-update.yml b/.github/workflows/kibana-mitre-update.yml index 5d7b7fe64ca..755f41650f3 100644 --- a/.github/workflows/kibana-mitre-update.yml +++ b/.github/workflows/kibana-mitre-update.yml @@ -16,7 +16,7 @@ jobs: - name: Get MITRE Attack changed files id: changed-attack-files - uses: tj-actions/changed-files@v44 + uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1 with: files: detection_rules/etc/attack-v*.json.gz diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 2f472c5ce6a..460071ee84a 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.12,8.13,8.14,8.15,8.16,8.17' + default: '8.14,8.15,8.16,8.17,8.18,9.0' jobs: pr: diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml index 3b01b06772f..97ca3e0f025 100644 --- a/.github/workflows/pythonpackage.yml +++ b/.github/workflows/pythonpackage.yml @@ -2,7 +2,7 @@ name: Unit Tests on: push: - branches: [ "main", "7.*", "8.*" ] + branches: [ "main", "7.*", "8.*", "9.*" ] pull_request: branches: [ "*" ] diff --git a/.github/workflows/react-tests-dispatcher.yml b/.github/workflows/react-tests-dispatcher.yml index 7e871429c8f..4418edc8a63 100644 --- a/.github/workflows/react-tests-dispatcher.yml +++ b/.github/workflows/react-tests-dispatcher.yml @@ -22,6 +22,7 @@ on: - '!rules/integrations/o365/*.toml' - '!rules/integrations/okta/*.toml' - '!rules/integrations/problemchild/*.toml' + - '!rules/integrations/pad/*.toml' jobs: dispatch: diff --git a/.github/workflows/version-code-and-release.yml b/.github/workflows/version-code-and-release.yml index 3ab8d0f5f03..2bd62d24bbb 100644 --- a/.github/workflows/version-code-and-release.yml +++ b/.github/workflows/version-code-and-release.yml @@ -92,7 +92,7 @@ jobs: git push origin "dev-v$version" - name: Run Release Drafter - uses: release-drafter/release-drafter@v6 + uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 with: config-name: release-drafter.yml env: diff --git a/CLI.md b/CLI.md index 81da5ea516e..61e43abd6d3 100644 --- a/CLI.md +++ b/CLI.md @@ -265,6 +265,7 @@ Options: -e, --overwrite-exceptions Overwrite exceptions in existing rules -ac, --overwrite-action-connectors Overwrite action connectors in existing rules + -nt, --no-tactic-filename Allow rule filenames without tactic prefix. Use this if rules have been exported with this flag. -h, --help Show this message and exit. ``` @@ -481,7 +482,7 @@ Options: ### Exporting rules -This command should be run with the `CUSTOM_RULES_DIR` envvar set, that way proper validation is applied to versioning when the rules are downloaded. See the [custom rules docs](docs-dev/custom-rules.md) for more information. +This command should be run with the `CUSTOM_RULES_DIR` envvar set, that way proper validation is applied to versioning when the rules are downloaded. See the [custom rules docs](docs-dev/custom-rules-management.md) for more information. ``` python -m detection_rules kibana export-rules -h @@ -520,6 +521,7 @@ Options: -e, --export-exceptions Include exceptions in export -s, --skip-errors Skip errors when exporting rules -sv, --strip-version Strip the version fields from all rules + -nt, --no-tactic-filename Exclude tactic prefix in exported filenames for rules. Use same flag for import-rules to prevent warnings and disable its unit test. -h, --help Show this message and exit. ``` diff --git a/detection_rules/cli_utils.py b/detection_rules/cli_utils.py index 96aa258c05c..102b03a58e0 100644 --- a/detection_rules/cli_utils.py +++ b/detection_rules/cli_utils.py @@ -23,6 +23,9 @@ dict_filter) from .schemas import definitions from .utils import clear_caches, rulename_to_filename +from .config import parse_rules_config + +RULES_CONFIG = parse_rules_config() def single_collection(f): @@ -66,11 +69,15 @@ def multi_collection(f): @click.option("--directory", "-d", multiple=True, type=click.Path(file_okay=False), required=False, help="Recursively load rules from a directory") @click.option("--rule-id", "-id", multiple=True, required=False) + @click.option("--no-tactic-filename", "-nt", is_flag=True, required=False, + help="Allow rule filenames without tactic prefix. " + "Use this if rules have been exported with this flag.") @functools.wraps(f) def get_collection(*args, **kwargs): rule_id: List[str] = kwargs.pop("rule_id", []) rule_files: List[str] = kwargs.pop("rule_file") directories: List[str] = kwargs.pop("directory") + no_tactic_filename: bool = kwargs.pop("no_tactic_filename", False) rules = RuleCollection() @@ -99,7 +106,10 @@ def get_collection(*args, **kwargs): for rule in rules: threat = rule.contents.data.get("threat") first_tactic = threat[0].tactic.name if threat else "" - rule_name = rulename_to_filename(rule.contents.data.name, tactic_name=first_tactic) + # Check if flag or config is set to not include tactic in the filename + no_tactic_filename = no_tactic_filename or RULES_CONFIG.no_tactic_filename + tactic_name = None if no_tactic_filename else first_tactic + rule_name = rulename_to_filename(rule.contents.data.name, tactic_name=tactic_name) if rule.path.name != rule_name: click.secho( f"WARNING: Rule path does not match required path: {rule.path.name} != {rule_name}", fg="yellow" @@ -210,18 +220,11 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos # DEFAULT_PREBUILT_RULES_DIRS[0] is a required directory just as a suggestion suggested_path = Path(DEFAULT_PREBUILT_RULES_DIRS[0]) / contents['name'] path = Path(path or input(f'File path for rule [{suggested_path}]: ') or suggested_path).resolve() - # Inherit maturity from the rule already exists - maturity = "development" - if path.exists(): - rules = RuleCollection() - rules.load_file(path) - if rules: - maturity = rules.rules[0].contents.metadata.maturity - + # Inherit maturity and optionally local dates from the rule if it already exists meta = { - "creation_date": creation_date, - "updated_date": creation_date, - "maturity": maturity, + "creation_date": kwargs.get("creation_date") or creation_date, + "updated_date": kwargs.get("updated_date") or creation_date, + "maturity": "development" or kwargs.get("maturity"), } try: diff --git a/detection_rules/config.py b/detection_rules/config.py index c09cdf9ea7b..cd2804c35f3 100644 --- a/detection_rules/config.py +++ b/detection_rules/config.py @@ -193,6 +193,7 @@ class RulesConfig: exception_dir: Optional[Path] = None normalize_kql_keywords: bool = True bypass_optional_elastic_validation: bool = False + no_tactic_filename: bool = False def __post_init__(self): """Perform post validation on packages.yaml file.""" @@ -311,6 +312,10 @@ def parse_rules_config(path: Optional[Path] = None) -> RulesConfig: if contents['bypass_optional_elastic_validation']: set_all_validation_bypass(contents['bypass_optional_elastic_validation']) + # no_tactic_filename + contents['no_tactic_filename'] = loaded.get('no_tactic_filename', False) + + # return the config try: rules_config = RulesConfig(test_config=test_config, **contents) except (ValueError, TypeError) as e: diff --git a/detection_rules/custom_rules.py b/detection_rules/custom_rules.py index befac07eab8..dd99006750e 100644 --- a/detection_rules/custom_rules.py +++ b/detection_rules/custom_rules.py @@ -15,7 +15,7 @@ from .utils import ROOT_DIR, get_etc_path, load_etc_dump DEFAULT_CONFIG_PATH = Path(get_etc_path('_config.yaml')) -CUSTOM_RULES_DOC_PATH = Path(ROOT_DIR).joinpath(REPO_DOCS_DIR, 'custom-rules.md') +CUSTOM_RULES_DOC_PATH = Path(ROOT_DIR).joinpath(REPO_DOCS_DIR, 'custom-rules-management.md') @root.group('custom-rules') diff --git a/detection_rules/etc/_config.yaml b/detection_rules/etc/_config.yaml index 5ad6dd6f2a2..08377486ff1 100644 --- a/detection_rules/etc/_config.yaml +++ b/detection_rules/etc/_config.yaml @@ -72,3 +72,8 @@ normalize_kql_keywords: False # If set in this file, the path should be relative to the location of this config. If passed as an environment variable, # it should be the full path # Note: Using the `custom-rules setup-config ` command will generate a config called `test_config.yaml` + +# To prevent the tactic prefix from being added to the rule filename, set the line below to True +# This config line can be used instead of specifying the `--no-tactic-filename` flag in the CLI +# Mind that for unit tests, you also want to disable the filename test in the test_config.yaml +# no_tactic_filename: True \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.base.json b/detection_rules/etc/api_schemas/8.18/8.18.base.json new file mode 100644 index 00000000000..23138b13640 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.base.json @@ -0,0 +1,412 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.eql.json b/detection_rules/etc/api_schemas/8.18/8.18.eql.json new file mode 100644 index 00000000000..30f489eed55 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.eql.json @@ -0,0 +1,490 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.esql.json b/detection_rules/etc/api_schemas/8.18/8.18.esql.json new file mode 100644 index 00000000000..b3e42f35b45 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.esql.json @@ -0,0 +1,478 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.machine_learning.json b/detection_rules/etc/api_schemas/8.18/8.18.machine_learning.json new file mode 100644 index 00000000000..7b1b42c2223 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.machine_learning.json @@ -0,0 +1,476 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.new_terms.json b/detection_rules/etc/api_schemas/8.18/8.18.new_terms.json new file mode 100644 index 00000000000..c0d7d437f87 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.new_terms.json @@ -0,0 +1,533 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.query.json b/detection_rules/etc/api_schemas/8.18/8.18.query.json new file mode 100644 index 00000000000..408c8bbb9dd --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.query.json @@ -0,0 +1,482 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.threat_match.json b/detection_rules/etc/api_schemas/8.18/8.18.threat_match.json new file mode 100644 index 00000000000..f10aa0d859e --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.threat_match.json @@ -0,0 +1,573 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.18/8.18.threshold.json b/detection_rules/etc/api_schemas/8.18/8.18.threshold.json new file mode 100644 index 00000000000..58469621412 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.18/8.18.threshold.json @@ -0,0 +1,508 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.base.json b/detection_rules/etc/api_schemas/9.0/9.0.base.json new file mode 100644 index 00000000000..23138b13640 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.base.json @@ -0,0 +1,412 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.eql.json b/detection_rules/etc/api_schemas/9.0/9.0.eql.json new file mode 100644 index 00000000000..30f489eed55 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.eql.json @@ -0,0 +1,490 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.esql.json b/detection_rules/etc/api_schemas/9.0/9.0.esql.json new file mode 100644 index 00000000000..b3e42f35b45 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.esql.json @@ -0,0 +1,478 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.machine_learning.json b/detection_rules/etc/api_schemas/9.0/9.0.machine_learning.json new file mode 100644 index 00000000000..7b1b42c2223 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.machine_learning.json @@ -0,0 +1,476 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.new_terms.json b/detection_rules/etc/api_schemas/9.0/9.0.new_terms.json new file mode 100644 index 00000000000..c0d7d437f87 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.new_terms.json @@ -0,0 +1,533 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.query.json b/detection_rules/etc/api_schemas/9.0/9.0.query.json new file mode 100644 index 00000000000..408c8bbb9dd --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.query.json @@ -0,0 +1,482 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.threat_match.json b/detection_rules/etc/api_schemas/9.0/9.0.threat_match.json new file mode 100644 index 00000000000..f10aa0d859e --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.threat_match.json @@ -0,0 +1,573 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.threshold.json b/detection_rules/etc/api_schemas/9.0/9.0.threshold.json new file mode 100644 index 00000000000..58469621412 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.threshold.json @@ -0,0 +1,508 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 153ad622d90..8113ae49e7d 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.0.0-beta1.json.gz b/detection_rules/etc/beats_schemas/v9.0.0-beta1.json.gz new file mode 100644 index 00000000000..67d74043fab Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.0.0-beta1.json.gz differ diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 86741c17a96..238882a0f48 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -1,4 +1,9 @@ { + "03a514d9-500e-443e-b6a9-72718c548f6c": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - SSH Process Launched From Inside A Container", + "stack_version": "8.14" + }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "deprecation_date": "2023/09/25", "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -49,11 +54,21 @@ "rule_name": "SQL Traffic to the Internet", "stack_version": "7.14.0" }, + "160896de-b66f-42cb-8fef-20f53a9006ea": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Potential Container Escape via Modified release_agent File", + "stack_version": "8.14" + }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", "stack_version": "7.16" }, + "1a289854-5b78-49fe-9440-8a8096b1ab50": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container", + "stack_version": "8.14" + }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "deprecation_date": "2022/07/25", "rule_name": "Auditd Max Login Sessions", @@ -89,6 +104,11 @@ "rule_name": "Malicious Remote File Creation", "stack_version": "8.9" }, + "342f834b-21a6-41bf-878c-87d116eba3ee": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container", + "stack_version": "8.14" + }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "deprecation_date": "2022/08/01", "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -104,11 +124,26 @@ "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", "stack_version": "8.12" }, + "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Mount Launched Inside a Privileged Container", + "stack_version": "8.14" + }, + "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container", + "stack_version": "8.14" + }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "deprecation_date": "2022/09/13", "rule_name": "Web Application Suspicious Activity: No User Agent", "stack_version": "8.5" }, + "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Sensitive Files Compression Inside A Container", + "stack_version": "8.14" + }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "deprecation_date": "2021/03/17", "rule_name": "Execution via Regsvcs/Regasm", @@ -129,6 +164,11 @@ "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "stack_version": "8.3" }, + "4b4e9c99-27ea-4621-95c8-82341bc6e512": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Container Workload Protection", + "stack_version": "8.14" + }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "deprecation_date": "2022/03/16", "rule_name": "Potential PrintNightmare File Modification", @@ -159,6 +199,11 @@ "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "stack_version": "8.5" }, + "6c6bb7ea-0636-44ca-b541-201478ef6b50": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Container Management Utility Run Inside A Container", + "stack_version": "8.14" + }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "deprecation_date": "2022/08/02", "rule_name": "DNS Activity to the Internet", @@ -224,6 +269,11 @@ "rule_name": "Deprecated - Suspicious JAVA Child Process", "stack_version": "8.12" }, + "8d3d0794-c776-476b-8674-ee2e685f6470": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container", + "stack_version": "8.14" + }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -234,6 +284,16 @@ "rule_name": "Auditd Login Attempt at Forbidden Time", "stack_version": "7.16" }, + "9661ed8b-001c-40dc-a777-0983b7b0c91a": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container", + "stack_version": "8.14" + }, + "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container", + "stack_version": "8.14" + }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via the SSH command", @@ -259,6 +319,11 @@ "rule_name": "Network Connection via Mshta", "stack_version": "7.10.0" }, + "a52a9439-d52c-401c-be37-2785235c6547": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Netcat Listener Established Inside A Container", + "stack_version": "8.14" + }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "deprecation_date": "2023/06/22", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -309,6 +374,11 @@ "rule_name": "Socat Process Activity", "stack_version": "7.14.0" }, + "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - AWS Credentials Searched For Inside A Container", + "stack_version": "8.14" + }, "d2053495-8fe7-4168-b3df-dad844046be3": { "deprecation_date": "2021/04/15", "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -364,16 +434,36 @@ "rule_name": "Suspicious Network Connection Attempt by Root", "stack_version": "8.3" }, + "ec604672-bed9-43e1-8871-cf591c052550": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - File Made Executable via Chmod Inside A Container", + "stack_version": "8.14" + }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", "stack_version": "7.16" }, + "ef65e82c-d8b4-4895-9824-5f6bc6166804": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File", + "stack_version": "8.14" + }, "f52362cd-baf1-4b6d-84be-064efc826461": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", "stack_version": "7.16" }, + "f5488ac1-099e-4008-a6cb-fb638a0f0828": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", + "stack_version": "8.14" + }, + "f7769104-e8f9-4931-94a2-68fc04eadec3": { + "deprecation_date": "2025/03/14", + "rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container", + "stack_version": "8.14" + }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "deprecation_date": "2022/07/25", "rule_name": "Auditd Max Failed Login Attempts", diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index 0fac25c807b..b1debf2986e 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index e4f729907d1..7cc61d2ff24 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index 291900511ac..112dc50a3b5 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index d5e001596ff..2a5f6db2b97 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index 2dcc966716d..c74a7ec3c50 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index a60a125e20d..df4159cdd2c 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index 5408e1c30c8..9df569a99ba 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index c6c03bd074c..cc9db3ad937 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 9aafe1ab2ae..6985f13c846 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index af7f77ba444..f3640a9f156 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index a24bbf0c4b4..4ec16782936 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 90f687aa8e2..fc47f2252ea 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index b26730fa239..33f47f3898c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index be771063d6d..b12191c5a75 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index f33919b87af..6cdb906fd0b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index e1b54ce824d..feabc7383f5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 175ece06abc..22063834bf8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 674067433f9..e61edfa2c25 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 45daaf55a72..b626429f186 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 51febb7afee..cd9730ef105 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index 303331297ae..3b87f5edf98 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index 4ac255b4097..95adfb78d69 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index aa64cb43440..02d3c71bc3a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index 033fb104e74..9d104f3ae9e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 4dd71dd3b4e..d4c89804cc0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index c635df73f52..e393907d845 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 87de001179e..c9b9575d1e2 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index f1856dca63d..3aeb7b5793d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 8a68f15eaac..1ed55b9d3ed 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 2d640b23a96..97c51daff8a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 5c0b6c385be..72e5a9c2ff1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 0d27552154d..4a562b1aead 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index c027f24930f..30457da4c4f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index e01cf600b49..461024cc34c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index d07512ea8af..31c2cb74364 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 3f44b5f1390..88a248a9895 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index b12705f32f3..5d37050c954 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 967994501d6..0eb0ae8319a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 82c56b53964..5c594b449a1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index c130dfe2cc6..76b23916bd4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index bb2f0df7a16..9350a574307 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index a6ca7b4097d..0decb7b7bb8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 9d047ac108f..235703e4d50 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 5534a7b6468..099c6bfdff5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index c4c254875b6..3499755a9d7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 8f51271b11a..6647e142815 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index b81159c1cb6..f429412d744 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index ff5415e8e18..5c307f7848b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index d0b5374feb0..634c97709be 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index 5ca1100cb4a..8927220fe1d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index af36bcd63bb..b271414ff4e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index ebb1adff0f4..6c010231f24 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 757bbb84a27..d2e8da922c5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index e8dea1501ad..ac262534317 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index cedfec56a63..17a3c1ce8bb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 8f6d0c5cd05..b71823784ed 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 91663576453..26f93a77493 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index d85d2193d76..869807302b7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz new file mode 100644 index 00000000000..24195864081 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz new file mode 100644 index 00000000000..9e7da101a54 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz deleted file mode 100644 index 98b02206359..00000000000 Binary files a/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz and /dev/null differ diff --git a/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz new file mode 100644 index 00000000000..d4a3739217b Binary files /dev/null and b/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 4cc6c08403c..dd75165f85a 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index f40e96fdeb5..1c6db5e9bd0 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index e6d3889f9ce..dd3eac23cf0 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -164,11 +164,17 @@ "aws.cloudtrail.flattened.request_parameters.key": "keyword", "aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword", "aws.cloudtrail.flattened.request_parameters.withDecryption": "boolean", - "aws.cloudtrail.flattened.request_parameters.instanceId": "keyword" + "aws.cloudtrail.flattened.request_parameters.instanceId": "keyword", + "aws.cloudtrail.flattened.request_parameters.dryRun": "boolean", + "aws.cloudtrail.flattened.request_parameters.clientToken": "keyword", + "aws.cloudtrail.flattened.response_elements.s3BucketName": "keyword", + "aws.cloudtrail.flattened.response_elements.tableArn": "keyword" }, "logs-azure.signinlogs-*": { "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword", - "azure.signinlogs.properties.original_transfer_method": "keyword" + "azure.signinlogs.properties.original_transfer_method": "keyword", + "azure.auditlogs.properties.target_resources.0.display_name": "keyword", + "azure.signinlogs.properties.authentication_details.authentication_method": "keyword" }, "logs-azure.activitylogs-*": { "azure.activitylogs.properties.authentication_protocol": "keyword", diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index a72de41bf9a..d326f1f04a1 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -3,7 +3,7 @@ package: maturity: - production log_deprecated: true - name: '8.18' + name: '9.1' registry_data: categories: - security @@ -12,7 +12,7 @@ package: capabilities: - security subscription: basic - kibana.version: ^8.18.0 + kibana.version: ^9.1.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -27,5 +27,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 8.18.0-beta.1 + version: 9.1.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 40d90e1c361..58747ac41eb 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -87,17 +87,17 @@ # ecs: "8.11.0" # endgame: "8.4.0" -## Supported +# "8.12.0": +# beats: "8.12.2" +# ecs: "8.11.0" +# endgame: "8.4.0" -"8.12.0": - beats: "8.12.2" - ecs: "8.11.0" - endgame: "8.4.0" +# "8.13.0": +# beats: "8.13.4" +# ecs: "8.11.0" +# endgame: "8.4.0" -"8.13.0": - beats: "8.13.4" - ecs: "8.11.0" - endgame: "8.4.0" +## Supported "8.14.0": beats: "8.14.3" @@ -122,4 +122,14 @@ "8.18.0": beats: "8.17.1" ecs: "8.17.0" + endgame: "8.4.0" + +"9.0.0": + beats: "9.0.0-beta1" + ecs: "9.0.0-rc1" + endgame: "8.4.0" + +"9.1.0": + beats: "9.0.0-beta1" + ecs: "9.0.0-rc1" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index aedc3c1153f..1e286b7e2d4 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,240 +2,146 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 309, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", - "type": "query", - "version": 312 } }, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "983f1980633f2fdeefc4b7d50b5e5662382880e65a27b51351387386cf225207", + "sha256": "c20587a8ab6fd3eca1af36791ab72c6e93932909b75c936ce7ba54d78244a194", "type": "query", - "version": 412 + "version": 413 }, "00140285-b827-4aee-aa09-8113f58a08f3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "8cd037720adc468e6c21ea2add4914a716d1fa7f3ffb7542a3196bf05c40a420", - "type": "eql", - "version": 116 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "148b877fd8c02c9338683afb02175ecd6f5cae155844fb6eb12205e1a4bfaf4b", - "type": "eql", - "version": 216 - } - }, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "b3a3605004e2c4a6c948a89b070b0ee2a28e33958a603a1c06e4bcf9dfa1553d", + "sha256": "a3f03ff868732e2c9ba9624fd88f9418c595f1ef12ae71f0193e302499576927", "type": "eql", - "version": 316 + "version": 317 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "System Shells via Services", - "sha256": "94047c055fb327e889a977deaf20ab8494f8d7c817d09a9039eecead9f00ec21", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "System Shells via Services", - "sha256": "2b030c8d49b750ea50e794ec65195cccb5c668d04a6eb1c0e9f00bd274fe1289", - "type": "eql", - "version": 316 - } - }, "rule_name": "System Shells via Services", - "sha256": "c6c35ad0725cb2e48652c4674ae470c1adbbbdccbd396fa2c586f2edae14028e", + "sha256": "50b5e55ce013601693709a7c660557ea3650108abe9cad6b593f8e98f86e089f", "type": "eql", - "version": 417 + "version": 418 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", - "sha256": "9e9b47bac87abaaf02aeaf05eedd8f1a653fc1029c4f02a0045c900af6fa03a6", + "sha256": "800161fc32e31a2c53bce733e3b236edb7b4db194e4178805bd0b9f007ad8667", "type": "eql", - "version": 3 + "version": 4 }, "00546494-5bb0-49d6-9220-5f3b4c12f26a": { "rule_name": "Uncommon Destination Port Connection by Web Server", - "sha256": "5c43e4b67433d9c17dcf3ec0723c08adddc753da5e15b8db551590e207c5d0b1", + "sha256": "5457fd6bcc9e6731474ebf879608ba2ee0b97dea2fb711d15e9192ddd9fc1297", "type": "eql", - "version": 1 + "version": 2 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", - "sha256": "084af080fe0d6182cf5ea6c48b232167996f3eead720253e885568afa89e5afa", + "sha256": "580e24ede83d9d5caf5d2812e63b7a214b0a252cab6fd2303b133d53aa72a62c", "type": "query", - "version": 4 + "version": 5 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "3d31dd5d0a8353000b212c5ffe3b14f5abe88a3f98db97488625321608bd20f0", + "sha256": "29e4d1aa622be675f168933ac81464217a9e07b6179b39d1d87d79855756f7da", "type": "query", - "version": 207 + "version": 208 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "AWS Redshift Cluster Creation", - "sha256": "1341375c3cccb30e7ed441439c386122fec8eca43759b591f42c42d2bd11083f", + "sha256": "1030abb7a5bf0cd851e8b2e89515373b2e37b97212c98a49acb7f02e2c88c5d0", "type": "query", - "version": 207 + "version": 208 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "rule_name": "Potential Network Scan Detected", - "sha256": "5f3a83500924433610b33b689f87387a563f69eb5121b6ebac645d00b7944040", + "sha256": "d6d9184d00f5e29a67dd384df800ace05c44f046ceab5021a67e04994f29355e", "type": "threshold", - "version": 10 + "version": 11 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Detected - Elastic Defend", - "sha256": "8c608745f949a23f1981034b99641bc9f149c2fab5f595f6c8df610e22a011ad", + "sha256": "4b5cf946fbef7291c316ea447ec618ab3eaad8c1c8c3910e19b73db021685c7f", "type": "query", - "version": 3 + "version": 4 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", - "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", - "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", + "sha256": "8494ff1283354c75b42b8e02fd67f53e3922a7fb3314d8e0b31c331bb5ef8bee", "type": "new_terms", - "version": 204 + "version": 205 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "810907d90a27aee361c0e4bdf4d0bfe79e58e47c2b9f7a8df4b14ad750f1aa8a", - "type": "eql", - "version": 108 - } - }, "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "415830680cf9d50d3845dbb66278e1153b189e660304ba0a15ca8d3d5f47ed5d", + "sha256": "816f9c87c4ad112c1a2215eaeaa7bca5df7e9ca06d371dee4aa3eaf0f9126799", "type": "eql", - "version": 209 + "version": 210 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", - "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", - "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", + "sha256": "f5df37e14f6d03c31aa51fd0dfb1be6bbf64ea621ef489f7024c395cdca98ae3", "type": "new_terms", - "version": 204 + "version": 205 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", - "sha256": "1ac8ed3b1ca5fea1b2f1908042c00a316d4459af2220eb483569bcea820be9c1", + "sha256": "0f737c2d74b7bce92e3a0801d7c621fad59f611b8a6318082360e8048e22c555", "type": "eql", - "version": 7 + "version": 8 }, "02a4576a-7480-4284-9327-548a806b5e48": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 307, - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "376189f0989a9c834ea9e807f1c31236301e528eec227aa389419a7e53aeabf0", - "type": "eql", - "version": 209 - } - }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "3e2498d141db920ce8fc17488acde7032ea81b42d39f7e26c4050febb32a3bec", + "sha256": "a36779685ea9796fed29d14a8be92814d19e3434c8b02f25e9e345089c67934d", "type": "eql", - "version": 309 + "version": 310 + }, + "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { + "min_stack_version": "8.18", + "rule_name": "Spike in Group Privilege Change Events", + "sha256": "692c1a36a0b2fca62209c78d246d9751cff9225601618f29cf6300448186f64c", + "type": "machine_learning", + "version": 2 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", - "sha256": "8ddaecb1abd24bc5406103c8f6edc29cd35f7748ba01ecc725ade824b6e50cde", + "sha256": "13ae97b8af4d0537fafcc22211d1d0929e4c565a9500797a3271a72a0ad1fe21", "type": "eql", - "version": 4 + "version": 5 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "a07d5178b0d63fe45832be7feae2eea146956b3b81baf2c247c23c39a4465af4", + "sha256": "88989ab8b740f21291d5cc7e69d4e4b1e99d2e2c2b07bfd9148e3789d9d428fe", "type": "query", - "version": 107 + "version": 108 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "6914713f09336f9c3dd081ef53ac47488673b0d06d86d731eae0c68021783845", + "sha256": "7bcaff443a1bb96f5e341100e2e292d84cc3903565ae92dacc25e3f748115458", "type": "query", - "version": 207 + "version": 208 }, "035889c4-2686-4583-a7df-67f89c292f2c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "4c5ca4a33be28031ab32a084760e988f017a7edd84cc8c08f314f52d3873cb50", - "type": "threshold", - "version": 113 - } - }, "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "7bb30e533a5784e8b443498afc2acd04fa726e74eec86a301107c57c0e73a4fd", + "sha256": "0c4ec1d507c126ae6380607a6574c41a3294fab94558aedf901756ad1a8210ca", "type": "threshold", - "version": 213 + "version": 214 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", - "sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c", + "sha256": "dedb6322eaab6573b8c3144956f65672b6718bffcef1b284a29a24a6c1e21ed7", "type": "eql", - "version": 3 + "version": 4 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "63da0c176cc07352e9a1cb9d92ededc8900ca1b1c6f6dfa5b1d8af6e158f55fa", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "bd5bbad719e965a90859b0a4bdedba465855590236e80fa2f05be1b1943c969e", + "sha256": "e83c935e6d617c47f77d10c89583b0853096f2dc9ed2a02f09b1e1a8f289f53c", "type": "eql", - "version": 104 + "version": 105 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", @@ -245,21 +151,21 @@ }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", - "sha256": "ae3ea0137d74ca472a7ba99931f0fb829c7b6419004e69b9a9a0ac88b87e0ebb", + "sha256": "e580ba79337e7a10332fb5f88b115eef93b21f3ad2a279e74d1c75c108c03ef4", "type": "threshold", - "version": 4 + "version": 5 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS Cloudformation Stack Creation by User", - "sha256": "52da905207d1e7c88fc6422717c8a5e4a92dc36ee070a06fc4bcdbc3d90476d3", + "sha256": "f3afdb8992d13d7f22885ad1e0830d137ffc255a0a80d26bf79fbd56875dd7ed", "type": "new_terms", - "version": 2 + "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", - "sha256": "3b26f04620990f0636c48d69c7dddb1091ac744f61ef4244cf1bf27d38677ecc", + "sha256": "23e06d221c7444ec7356f1e438f068fdd7561ddf06abfc52e076cea7b2453742", "type": "query", - "version": 111 + "version": 112 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -268,333 +174,168 @@ "version": 105 }, "043d80a3-c49e-43ef-9c72-1088f0c7b278": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "47373227a503f5fe1fde96d536e6a205fcac83b971b0dee087b3614cd96c814f", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "8d179fe06605d1b9a62c3cda5f232e20d6e98172b8c62bc1ac5e3c362f0caf83", - "type": "eql", - "version": 103 - } - }, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "95d69d7ba9d1821cb7a31fc102eddbf4725f3512d45f8c1129cd08902c00b9da", + "sha256": "cf668d4aa6fecbcdef0935a3a0a2934de783f8889d5a9b2511cd407c9af1f958", "type": "eql", - "version": 203 + "version": 204 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "60c46c899a69ab28b32485227c01fb16cee84b26abd65893b8f900c888034338", + "sha256": "6dc9cc0998b14bfbe9afd087f31a6485f561ce1941031c25c0ebe67129d750ee", "type": "query", - "version": 103 + "version": 104 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", - "sha256": "605d63b5087ecb7c6b317b124502b5109f16a229ccb1a878d7f5c7f08940e119", + "sha256": "fa37c68ac0e2dac03e2bea89416bc54be86337a2a494433118cf53e757b9b756", "type": "eql", - "version": 2 + "version": 3 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "1ca8fdf09317fd36c70df03f3201b8274dda82e84f259811b7e392d1b5d8e6b4", - "type": "eql", - "version": 112 - } - }, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "a219cd9773dc1fa8aa69881e4de1fb3c8b9b635a1c380a4782cf15cec90f8904", + "sha256": "8e32b2ab2c7b19aba6495e9a1f7ccfb476e051810bf71d14395a52b02cf78d01", "type": "eql", - "version": 212 + "version": 213 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", - "sha256": "8d613ba421aebd8dcbce56302f1c2d6a19b749085004adc1050a81aed090dcc5", + "sha256": "e59a4f1612f709c30206acad3e57ecf928410ed3de1df81f1a0c8a1e2573872f", "type": "eql", - "version": 8 + "version": 9 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "05e330c5bc7ed2ce8eebca407e464236f706e834abd2347c5e29222915cb9919", - "type": "eql", - "version": 115 - } - }, "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "3f61af7fb95a6f56f3d8b10f22c2543e1500a295cedb05240385a644cfb3960c", + "sha256": "1b185733220ff9caa21528d5e9c9385b88e4e662503b6f232ca4c7c2e8c69543", "type": "eql", - "version": 215 + "version": 216 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "ccb2ff57c3244f25002537f1dc77486f9eafdcdbd670e3f6c41a50749f80121d", - "type": "eql", - "version": 210 - } - }, "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "de972a03d58e0257614b0bd101a01763a9c8905bf07a6d5a97b16871115da13e", + "sha256": "e8f35a18cddcdd49b3d91347a5c70e2a51d05cf3ff577cfe1317e5ad830b6fb6", "type": "eql", - "version": 310 + "version": 311 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", - "sha256": "6e6fcbbf2ea3332a110e3c68ebc52cde1b789a0370ce24f76e00a25d8c349bf6", + "sha256": "7565d48dda32b8434c9ee163a6f219cb0e18ecbc2df8ad08b6a933dc89d63a99", "type": "query", - "version": 5 + "version": 6 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "c70d925a16e8a0ca54c52ed7ba79164ff5091150dc18e8f3096440d73fd87433", + "sha256": "e809170c846e030385f3de5caa5cedccfc6d92d1a46ba046943464f3af0ecbe6", "type": "query", - "version": 109 + "version": 110 }, "0635c542-1b96-4335-9b47-126582d2c19a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Remote System Discovery Commands", - "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", - "type": "eql", - "version": 114 - } - }, "rule_name": "Remote System Discovery Commands", - "sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06", + "sha256": "10184a224108b06df61c3d0d2c880f91505d4cdec8772497478bd39db7307c8b", "type": "eql", - "version": 214 + "version": 215 }, "06568a02-af29-4f20-929c-f3af281e41aa": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "System Time Discovery", - "sha256": "33fe7970c008c5046403b819e98a65e6552a9579cc28562fe551e9ec75fcf0ef", - "type": "eql", - "version": 11 - } - }, "rule_name": "System Time Discovery", - "sha256": "cf15b2bf8ac5ddd54fcb4f2ccedb51733cf85512ca197097fe3c7ab31f87755a", + "sha256": "c08df694acc199aab2599134c89faf185aa3b9843ebd59d3871557110ce96cca", "type": "eql", - "version": 111 + "version": 112 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "rule_name": "Unusual Remote File Size", - "sha256": "1c0662f5b11e6019bfa3e32d36fedf5821114840e8aa8e424150ea7631c58079", + "sha256": "5c023e623140babdf6ede68353f42b35ff921b6735192982b81ebeb7fcd992ca", "type": "machine_learning", - "version": 5 + "version": 6 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "d70040688d2d40faca05dc65ea89f7b7cb6dc34b2c978f2fc33e67f843a5c79f", - "type": "eql", - "version": 10 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "bff4aae78a241e310a292c793fba005814a975476eba89387b3301217986255b", - "type": "eql", - "version": 110 - } - }, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "e7a8862a024f6ea8a346b16441845118d570aebb01a849748f0c3d313172edae", + "sha256": "03dac45e9d58f06ea679b74e3b3277a04351c0ce66bf8069482691473b4f2b3c", "type": "eql", - "version": 211 + "version": 212 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "798d7634945767913aeab178e7df25c3696ac6e993cbaaaefe8030ea91fe0f4c", - "type": "eql", - "version": 2 - } - }, "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "cf3d305ea89fd7b2c84f8ed412f55d0c5180e021f2d107a517d501e85c15e038", + "sha256": "c3a66bff0aec6f69a09401c58eae78258cf395936a35af4a26adc8a2581afaa9", "type": "eql", - "version": 102 + "version": 103 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Potential Evasion via Filter Manager", - "sha256": "af64a92d30ef699c25bf08f37822770635ec2e44be940f17de9cf25ba519f602", - "type": "eql", - "version": 115 - } - }, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "990f986bae1d4f295042fd090a380cd0d6f3d7b8850dd78cf6d5b4e2ffe7d8f0", + "sha256": "2bba719a0e576ecd112997307f09e3253695db95b97c1aa854aca2fd941341a1", "type": "eql", - "version": 215 + "version": 216 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Prevented- Elastic Defend", - "sha256": "40d0e6bf90bb885b5bedb92204b324ea0899096734b6a33c10fcbf76f6ae8266", + "sha256": "c441eef96e09df129b5d295a431cf987d878660a826c992fab2e9b098ea7e80a", "type": "query", "version": 3 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "9f32696b9fa2e1510dd9d329776fa82b31d56c88665b21f900724188a3fb1f33", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "b22d6b7ab9817cd0a492a0bb23fa58aefc0460b88dea57ffc84c6cda058950b9", - "type": "eql", - "version": 212 - } - }, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "36865a14b607cf48b5cdfcf52bd07a4c37c6a89038d1230ec983ac280ad050ce", + "sha256": "cab13a3b8e8bb3094085c9675cdcb0e8b30a99de7e5857bd251bd775945e05ad", "type": "eql", - "version": 313 + "version": 314 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "380c523049b8404ce0d831d93a39d8d6e334c2a51c94e3454920aa9b947d0d60", - "type": "eql", - "version": 107 - } - }, "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "3d9549ea279015b77bc82b2e69b630d2013529cbc37e51d1316381f1c8f34d54", + "sha256": "f85b8ec375ba51f72bf349c59e96fbc42aae11e18ad3000a107f058e5ae09967", "type": "eql", - "version": 207 + "version": 208 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", + "sha256": "96411ec84d8a22f311e9dfd8a308527f7ece8ddc5d93b6f1a589b2498d5fd296", "type": "threshold", - "version": 7 + "version": 8 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "09c2f36752a76180ee5f6c3d999fca9b4a594baf1e68da518828098d4a918b29", - "type": "eql", - "version": 10 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "7a1e221305122e11869857dfef01583fa3242e9353bbc3c58bd029ddc08ce349", - "type": "eql", - "version": 213 - } - }, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "a02807e2dbf00fd418c04b345cf9bb599e756134d50cfc7ceb239d0db3e3d270", + "sha256": "ea9a890a7fe00c858dbff2dcaf7ce164689b2a760206232a07b4e1b6e2e49fdb", "type": "eql", - "version": 313 + "version": 314 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", - "sha256": "9ef2074f6e701f2d706ccfe7165569007fc670532ed8a720905e2fbff4754a32", + "sha256": "8b982a48d5b614c8b15f099db5dc29592c03a7dda769f4b6f37a43262cab59d4", "type": "query", - "version": 107 + "version": 108 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", - "sha256": "ae0e822932b3d3a4abbd15f6ff61bd9086207d22ea05cfc9cc59eeca918294b9", + "sha256": "51b3fcff118db9337bb227e874af08401e569b7c3d4cc48704a3d87f6fe3e065", "type": "eql", - "version": 109 + "version": 110 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "2b0a0ede15789e0b7a7554ac68cafe6384e235975fcfec67debe968db0c4c318", + "sha256": "51a41c4aac90f94c8566c30ae35f53fa7e92bdce310d76694196a9461603d854", "type": "eql", - "version": 108 + "version": 109 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "a01dd38408bbec2545a780590fb1551649acb6e25b7f9589b305b518dcfae70a", + "sha256": "3b6c16332f07445f1623cdd983660c678af46a02282901cd7e4548bc5e8f6b61", "type": "query", - "version": 107 + "version": 108 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "First Time Seen Removable Device", - "sha256": "f1ac8cf1be60a96de758a01dfbfd0a5b594450e5a38ceae29fc315267402c892", - "type": "new_terms", - "version": 10 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "First Time Seen Removable Device", - "sha256": "c14fec5bc1b916855cac0929b535c0865ae08136bf417b3ef52374ed88a27cc5", - "type": "new_terms", - "version": 110 - } - }, "rule_name": "First Time Seen Removable Device", - "sha256": "70f7e9b02ae62752a1aa355c2bf0737861fcbe8f6d564b36f533e1c115925ed6", + "sha256": "58158655ad5ee76701bc013175713224a22632cdfec8aef97c7f2d0a62866b1c", "type": "new_terms", - "version": 210 + "version": 211 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", - "sha256": "345611059c1ff3167364a9fd80b7f975c8cef14393238750bfa8c6207ab12bd0", + "sha256": "b827f2e748c6a934e1d8485b1b30d398c380449318a4c0ccb660fe7ec7c370d1", "type": "eql", - "version": 5 + "version": 6 + }, + "08be5599-3719-4bbd-8cbc-7e9cff556881": { + "min_stack_version": "8.18", + "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", + "sha256": "1531c8ea5c0359c0e44734cd8ce85e2df0097dedc77369b52df369a116c76b6a", + "type": "machine_learning", + "version": 2 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -604,31 +345,21 @@ }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "0e3d828631e0a83196eea6787fc18de515f9e27764d93909572b5cc61b7ddc61", + "sha256": "ca4f143a63dc861981246f6711f2fd64668c3322007338baa52d61c3dc116f59", "type": "eql", - "version": 109 + "version": 110 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Process Termination followed by Deletion", - "sha256": "14b2c50279749311159d46204420c773d52555a562d83ce604a03fd9d9abaafb", + "sha256": "2d9408275d396448c07bdfb1f83236719df9086f374689d0f914a1b4ad20c6a8", "type": "eql", - "version": 111 + "version": 112 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "Member Removed From GitHub Organization", - "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", - "type": "eql", - "version": 104 - } - }, "rule_name": "Member Removed From GitHub Organization", - "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", + "sha256": "8f53e7a56bdf70f2f886fde7eb012430f3dc47311dc4839dcd4e13a971f7a0c2", "type": "eql", - "version": 204 + "version": 205 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -636,149 +367,102 @@ "type": "eql", "version": 100 }, + "097ef0b8-fb21-4e45-ad89-d81666349c6a": { + "min_stack_version": "8.18", + "rule_name": "Spike in Special Logon Events", + "sha256": "e5cbe58d3441a34c3c34bd43f63ea661fb228746a99f49a1abdf6b3118e455a5", + "type": "machine_learning", + "version": 2 + }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "7040132674395ed77ee5b703d59cfbefe989b32ac76e3f85c8f03862f368df3e", + "sha256": "6364450fb2aecdc4012d73ae2948614a51e83777e3c025f72cbc74c1e9bd1805", "type": "eql", - "version": 7 + "version": 8 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "f6a45024261cb0b349f1b5e65afcbfd1cffe90e669fa3157bf60ea20538b5f44", + "sha256": "8cd8888e6c73f37afa5115c1817ea17ec9fc86809e3170f5be871b211af200a9", "type": "query", - "version": 103 + "version": 104 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "7a47db16ef187e82ca162b4ddc7be98c559c56f60930c7f857b4998e456db762", + "sha256": "6dec72ce9f7aabecc519652ba7299033d64fbfe4d155e3cbb9fff040f62ecef9", "type": "query", - "version": 104 + "version": 105 }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", - "sha256": "d0ca847022a16689d65f980293f4e0fd6f57daf55cdf34dcf2d377d146f0757a", + "sha256": "5820311b6b905339e6e7494c92fb607d519388da3cb4d6a9251091cb9cfb4e7f", "type": "query", - "version": 6 + "version": 7 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "d48d0db0dcf2f0f427cffe2c1fc5c43f10abee34268e5d667453968fbde0f29d", + "sha256": "0ddaee290af65bcf40554862e10ff67308e93647adc7afe12dc754b47ff87c5d", "type": "query", - "version": 209 + "version": 210 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", - "sha256": "2246ca718f9e4c68f8015278f6c338d481215cf44d109266c689582b268cd4b6", + "sha256": "f055bf9c9f46bb5ddda4c4276a883ffd6024359999ee8d080157febff142106f", "type": "eql", - "version": 5 + "version": 6 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Anomalous Windows Process Creation", - "sha256": "e58901307b82a6b703f7a5b2767769ca7cbec1c80db040954fe646835f35d714", - "type": "machine_learning", - "version": 109 - } - }, "rule_name": "Anomalous Windows Process Creation", - "sha256": "c0f120a64ff245f24b22572875fa394dbdc77cb4f3718153eba555eb889feac8", + "sha256": "7acdebd225457bba9a49e92fda88457290b0a4323ccc699db59d6a7deb791d99", "type": "machine_learning", - "version": 209 + "version": 210 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "User account exposed to Kerberoasting", - "sha256": "f4161c7c3cb1aa92b083eb597fae4114d218aee981cb01a13851e639a4dea970", - "type": "query", - "version": 114 - } - }, "rule_name": "User account exposed to Kerberoasting", - "sha256": "ebd85ca66aad316c0f9ca0890392b1bf3c4c86c58b9b097f3079dd6dbc0a6dee", + "sha256": "23e9b0293cb471864143268d60458c9d4bc3bd9aa7fbacd265f63ceb2d0da00b", "type": "query", - "version": 215 + "version": 216 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", - "sha256": "f38d9a3cb527fed3ad70ba4055716a8490606cb347a6813497bae630dd296758", + "sha256": "fd18c9c6c7aa941df90f89ed1a9c7ce711852823005d936cbf0926a724ce28f0", "type": "eql", - "version": 2 + "version": 3 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", - "sha256": "4a8f1df0c1c99b704e5485fd658ff9569854ebb1e729a16996a835862cfe8f24", + "sha256": "71692e040436d9174c568ecdd7fee99e2238dca3004b1064b22b14837fac333d", "type": "eql", - "version": 2 + "version": 3 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "91457268048c8d92e741bfd1d7bb5d54fe0d743c61407f7a0715f70c10dfa674", - "type": "eql", - "version": 7 - } - }, "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "7fc4e84759a2af54a9511e0a595038dfb7f5e4cded7427859e3081ac8d7ff641", + "sha256": "9e136032efd218dd3d868321979237b474048b661bd8d29202bcbf0fc2bd8a90", "type": "eql", - "version": 108 + "version": 109 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "651c708c609fb7785a9f1776142e6f473de4466714636ff521fc42e5e303c8f0", - "type": "eql", - "version": 5 - } - }, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "f3895557013bb677c666836d9909116795173df120b18f2792b6aa20cbe69580", + "sha256": "0b8e14839af59782950606078d586099c236ad4832b5866199c8b25f21179e1c", "type": "eql", - "version": 106 + "version": 107 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", - "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", + "sha256": "61ea829b342ba00cf456d88b1d191efa3365627823aa9e186cf912cff9381c06", "type": "eql", - "version": 2 + "version": 3 }, "0c1e8fda-4f09-451e-bc77-a192b6cbfc32": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Potential Hex Payload Execution", - "sha256": "74f721a4c27361f235243b389dfdd0770212ed79d7fe1c2959e73c93b9edb754", - "type": "eql", - "version": 2 - } - }, "rule_name": "Potential Hex Payload Execution", - "sha256": "60df1c7136646558bb4c4713cbfb9a5a4b107a9416be8a60fbf7700cbcb94ce3", + "sha256": "546e88fb76a34d6809a3b5ddca9baea43697ceffe312b0801f4d9bc58f146b4f", "type": "eql", - "version": 102 + "version": 103 + }, + "0c3c80de-08c2-11f0-bd11-f661ea17fbcc": { + "rule_name": "Microsoft 365 Illicit Consent Grant via Registered Application", + "sha256": "b1abf541ce21e388774f94daea1199ce9f9c5005547a19a1184a244eec040e6f", + "type": "new_terms", + "version": 2 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", @@ -789,32 +473,15 @@ "0c74cd7e-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Detected - Elastic Defend", - "sha256": "8c9fd34f4f30b211e680a28ab5e00352770c9972db08cf8a11fd6809a97edbf9", + "sha256": "0eabf2c1922aca9c19833edfeb8d4e44b1f19e91e7268d60e2aaa58d745b3a28", "type": "query", - "version": 3 + "version": 4 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Peripheral Device Discovery", - "sha256": "0ba61428f49133210022937f1edfd3ba9e42329cb91126ff0465644e23fc62ce", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Peripheral Device Discovery", - "sha256": "61ae1ba97794982369c44f00a1f32eec466cb30eb538a026250b2146313d688c", - "type": "eql", - "version": 211 - } - }, "rule_name": "Peripheral Device Discovery", - "sha256": "61263ade531000457423d75f215e58ba78b6b5cfd11f5e95bf5fca9d5d77c526", + "sha256": "ec8938c387a7fad2f2d2dd88203c65a8324f58a7d2a253b6c67202249e3d10ed", "type": "eql", - "version": 312 + "version": 313 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "rule_name": "Deprecated - Threat Intel Indicator Match", @@ -822,8 +489,14 @@ "type": "threat_match", "version": 204 }, + "0cbbb5e0-f93a-47fe-ab72-8213366c38f1": { + "min_stack_version": "8.18", + "rule_name": "High Command Line Entropy Detected for Privileged Commands", + "sha256": "83a6aa4d587186f7e7459ab0268171716a02c965c0c92d1744b1dc99976c0027", + "type": "machine_learning", + "version": 2 + }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { - "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", "sha256": "0d0084d44982bd3c5392b363044b94d1c083b4ff85c4da034a82be08872812d5", "type": "esql", @@ -831,9 +504,9 @@ }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "c5b5703eecd7632b4ddb4091627b0ff3ab51fe21941d1f5b53297f00d72c4f4d", + "sha256": "53c2495dab68a903b247714477ea3a6e45b080cc7d0dcb6fe5e59566f261f71a", "type": "query", - "version": 207 + "version": 208 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", @@ -842,58 +515,36 @@ "version": 4 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Nping Process Activity", - "sha256": "b83427252d66ff411238da7c5005c49740b023436dbc3bf58ba27c1ee3922248", - "type": "eql", - "version": 109 - } - }, "rule_name": "Nping Process Activity", - "sha256": "1ecfdf114395bc4eb70a3fb066620a04c60f99884612e0f29066015950dbd8dc", + "sha256": "ffd04e87aee986da407d0d658bd9815614ef6981fce9037febb5bb350236083e", "type": "eql", - "version": 210 + "version": 211 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "e5c5f267f119e9874c5b19c097244a7253714352e28e2fcc353b74d5c36bb3e4", + "sha256": "463ef7d320e65c159f5238f4f1a470d6eacefad355944921e52fa57b02b2a1ec", "type": "eql", - "version": 111 + "version": 112 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { - "min_stack_version": "8.13", "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", "sha256": "06cd8ab4b8922f24d2b6151406f8680b95c67b7d415ccdab4ef61cfc5c80fda7", "type": "esql", "version": 2 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", - "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", - "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", + "sha256": "daf0a4bda776448f0e5a9bafecc2cad167ab9438fe19e051cd757802ab3789f1", "type": "new_terms", - "version": 204 + "version": 205 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", - "sha256": "74965d932cbd9a720a97b2ceab342bba465997b95f0c655b95003fbbe6387365", + "sha256": "ed3405f5b56fe59c60c0642ae8ac0b0dcd39acffdf9e624c0c9a653d49de4f7a", "type": "query", - "version": 207 + "version": 208 }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { - "min_stack_version": "8.13", "rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token", "sha256": "f6f434f76330ba923e4d55b62e92891d98a21706ca8bd0b47bd9811566a8c497", "type": "esql", @@ -901,77 +552,46 @@ }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", - "sha256": "59e29ccc3ac8165891a2e84b728fb276eaf024e4adc86f129eed888139ef37bc", + "sha256": "2dabe858adb0fc478a32bd89bff8edad37facd56a470caf71d075248e4428730", "type": "query", - "version": 105 + "version": 106 }, "0e79980b-4250-4a50-a509-69294c14e84b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "MsBuild Making Network Connections", - "sha256": "7c639b668c0b9207254749cb4e45c08ed861a61d1b5e8b27147b3b664d0ae255", - "type": "eql", - "version": 111 - } - }, "rule_name": "MsBuild Making Network Connections", - "sha256": "1d7d425a4b556f2c948c50f0b1dfd888045fc7023dbe3fbad411dbb83d420c0e", + "sha256": "f07233d63bf4d825b12ccdd87d4404f7aa673dca23c19c84c750defc35684e93", "type": "eql", - "version": 212 + "version": 213 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { - "min_stack_version": "8.14", "rule_name": "Sensitive Audit Policy Sub-Category Disabled", - "sha256": "36d53d03849de22fb24be66156f15194ce07ace1ab38974701e6b69efe28551e", + "sha256": "bbe9ea4c3affbc897abdc5bee35a953dd120762ddc522b24e3adbe6db4ccb8c4", "type": "query", - "version": 4 + "version": 5 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", - "sha256": "9d1acfe268c50abdd645663c36152672c58badfb78f109529fc5cf7392c38aca", + "sha256": "3b4e8f4226854ad401b0a80c3c62e9f815dfc511a954b5d10b759e40c8664c26", "type": "eql", - "version": 116 + "version": 117 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Polkit Policy Creation", - "sha256": "44b43d02b93465a284ad02a34ec8aac120647331d3e94740777d0814d5113600", - "type": "eql", - "version": 3 - } - }, "rule_name": "Polkit Policy Creation", - "sha256": "0afcc930436684dfdd61e2ef01cbc1adfa72ab7f84b9fd58280c94953ffdaae0", + "sha256": "8685a856efa62f15d208e5985d9a909b3ce8e7901b24d3af710838b0b8bceb58", "type": "eql", - "version": 103 + "version": 104 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "79a36ec04c23d206b4a169e76b5d28d8f804a425556086fca9789d4fc8b188da", - "type": "eql", - "version": 4 - } - }, "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "4b9e8dd7f874cd95eb91b79ea9ff20499a9372b785b00b28508b0ce941af417e", + "sha256": "5c909997193b58e4fe5aa8dfa168e55f80a7983c7763807965772b93a747603e", "type": "eql", - "version": 105 + "version": 106 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Detected - Elastic Defend", - "sha256": "84214be4565dee7f618d414cd2599619e3b5a008b2e5acfb397c79d2c6020732", + "sha256": "cd6a57dae1f0a6f2aef7b0a32b1e2390e8b193822bd1deb4b29926ce0e0b0f0a", "type": "query", - "version": 3 + "version": 4 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -980,32 +600,22 @@ "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 309, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "47eb039775808da28b11790e0cc065e4a50d78e27c509b0d3658b680d0e8afa5", - "type": "threshold", - "version": 211 - } - }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "bbaf49b522cd5d40af2d47cba7e4b4171ca4727ca8719122a6cdbee63432dc73", + "sha256": "0d862dac4265ead3b5391ad1bd1e5d0a4a543f3a623c7f32b90e3ca5439dc4d7", "type": "threshold", - "version": 311 + "version": 312 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "76940df70c1484a0067d03c9147c59cb9cb88ff381bc232e981395b072fbcad0", + "sha256": "563d192840988aa54ff3f5443a420766959ed2f847c498aaa874ced30892aa3e", "type": "query", - "version": 107 + "version": 108 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", - "sha256": "dff5cd6124560d135f2d7393f7c92da107c6f1993843cabdc031a2c21f69d7fd", + "sha256": "0f3c2dfae1047bb5c03781a08efbad39b17fca0ce4526c7de945d492129413b2", "type": "query", - "version": 2 + "version": 3 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -1015,67 +625,40 @@ }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "rule_name": "WebProxy Settings Modification", - "sha256": "43d8180f7e5ee5ede17e49e4b51dde1ec237e4fd3684df5ed85afbbde690f390", + "sha256": "39e5cc841cd09ae7c5e36388803e07223df11178a48684dc0be67ebdae2d51a3", "type": "query", - "version": 207 + "version": 208 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Prevented - Elastic Defend", - "sha256": "7ad9cd5a7ed6933679d180d53ba468c0afbf17789887c8086eeabdbd30f751c8", + "sha256": "4ace7976e6f126067761acfadd4f78cbfbd24d77db75f43f8892191f893aa9d9", "type": "query", - "version": 3 + "version": 4 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", + "sha256": "c3505921b5362ff6d0a18da1373092d8c859469a7a4a09d3bef2c051a57e71de", "type": "query", - "version": 105 + "version": 106 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "46d8b330ba652e23adf896e687f3e5366a624a5331876fc279966cc8b152cf65", - "type": "eql", - "version": 112 - } - }, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "a2bdb54600ed5810827ddcde587fdd19f4abe4ac4f268242ea2b360c433b20ae", + "sha256": "024d892ef835aaee6b647e63eea1193ada7452b41dbcf08b535722061b98d474", "type": "eql", - "version": 212 + "version": 213 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "a994d1f91f21add41bfa56ede5881e607b7400b4d3892076489853ee155f7fce", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "153cade6c2583d73aadcdb8e1f138fd04f15225a1d087281dfb8e0a38a94a08d", - "type": "eql", - "version": 213 - } - }, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "89ff75015ccc7505d10b8e1dd68a6e00bc013390bb1d3c3261ebea0dee5a9cd8", + "sha256": "8eca10b1096b0d996b99e34222f360cf7edc642e520775bad9db89af704c7e2d", "type": "eql", - "version": 313 + "version": 314 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "22b038a9d7ed9ae2bb66b4cb46bcfc5b0b5fd00d0c6512a3aa092001b5c12e80", + "sha256": "f8ecafafb104111603d3d5386686c4906ae20044298adffa5cd6c47a347489ec", "type": "query", - "version": 207 + "version": 208 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -1084,42 +667,22 @@ "version": 100 }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 113, - "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "a7ec142dcda7675c77e9b876a21fdbc81216e3a996b187d8b9ce5fb6ee881abc", - "type": "query", - "version": 15 - } - }, "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "6b484742b765e528a93679109d41f88dab5fc43c020fe7354c920f488c850661", + "sha256": "16d69eca18fb15a8a43e89044995911c2183249794b5bbea720f52b85d920453", "type": "query", - "version": 115 + "version": 116 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967", - "type": "eql", - "version": 113 - } - }, "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "529c6c9afcecffe9bc1f09b979a34bc926f72b18aae363094788855893224f4e", + "sha256": "262d7f402cc82ab3dc8719964c79516c51251189fec331a8102f742c287059a9", "type": "eql", - "version": 213 + "version": 214 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "2e9c3df902a7e2af50b5f91cbc53f971eaac2d7c296180dc7140aa88c286406a", + "sha256": "4915043c102c8fb240b46df22c7be9ad6e1193caaa2201739f670dd1faf804c9", "type": "query", - "version": 207 + "version": 208 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -1128,26 +691,16 @@ "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "36f3d53e0e615d93af889f1a29da008db557f004f34ab0b3a14b5210f0aeee2f", - "type": "machine_learning", - "version": 8 - } - }, - "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "5e43858136609068909a67bd2ffd833f974eeee7ae19cdb80a02ae08ad096d70", + "rule_name": "User Detected with Suspicious Windows Process(es)", + "sha256": "46b5c51c7e1498ea7fe24aa27b1b82dae307e6fd3bd10037647bb6c9aef54d74", "type": "machine_learning", - "version": 108 + "version": 109 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", - "sha256": "034e4008a61db1376ed832a2c197463f0db3f4a325e879f200fc0180f30cdc17", + "sha256": "4c8af566dc12380d8c8bdde5bb764ef21104857e1a18feccc4e7e790697dc196", "type": "query", - "version": 2 + "version": 3 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -1156,146 +709,65 @@ "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Suspicious Lsass Process Access", - "sha256": "b5585ef93c094d17af2ec93e821abae35166aff50db392c679bdfd4ad289691e", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious Lsass Process Access", - "sha256": "19af37acbf8a0f9774fb22c8fe43855471d07d04d9aa68dfaf95e90219bd65a0", + "sha256": "cd2216bcdd98468875349fa38b7f532129af98edfebab97e8cf9209ad349bdf0", "type": "eql", - "version": 209 + "version": 210 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "75734b3460dff650d8fb6adbbe456341d03756acefec419bdbe2f8dbb064b12b", + "sha256": "f00fb91c460844760a14a424f2a7b16defd598a0b0db46edcf810e9eccffe8ed", "type": "query", - "version": 204 + "version": 205 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "7c44812095bd92d02344d24e68f59d1becb7a2912cb9f782309717e196302e80", + "sha256": "f2b30781046303cab11f86336bcf5b5079776a07eee2dbc6c2c2860e0ce7611b", "type": "query", - "version": 205 + "version": 206 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "272a96e698a6afe16c3181d064b9c894e77f51b3eaf866209b5dce7565d67d30", - "type": "eql", - "version": 4 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "dcb9f8fce25461a848fe06439c08665629219e3abdd01025c5555abb22bc059d", - "type": "eql", - "version": 105 - } - }, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "6650390a0ab837875b873ec9ee59ab4afc35d94df7e4e550ab6e853cccd6b929", + "sha256": "a9c9c046892f5fb0ff23264d181cbc5ff316361b9e65e37d91d0e77e9489a6ce", "type": "eql", - "version": 206 + "version": 207 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "8a50a6a6f107f05960872b508ca599e3ced73c94f3e91ba756d516d1fb627486", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "a2f0c592a53ec30b958e963921770be01cdef012944bea22ae236d2713cd09b4", - "type": "eql", - "version": 215 - } - }, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "f257b59519a3f70f969db80deb185a3cf39536af5b3c532c376b9108da677c08", + "sha256": "67edaed31f131f99127e73231843092b0f8c3f4435a869b2d97628428ecaa4b8", "type": "eql", - "version": 316 + "version": 317 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "17d08d5a22a343108d957c179ce6094d0257d0d8b2579a4951119dda819508f6", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 410, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "9e89e81b01768e4420d38600625f002d5442c3b66d427dc5892345446d213aa6", - "type": "eql", - "version": 312 - } - }, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "b0ccfcb313b2d42d0235a2596412d1178773cf4161732fd7ad768553a89a446b", + "sha256": "cf051b91efef11632fd5138ed4b468cd2a6d7218394928a7d1d0f2f3885917b9", "type": "eql", - "version": 412 + "version": 413 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "7a40d647d43e173b746b298d0619a6058cb05a2eb33d6e0a4e546788fa16634a", - "type": "eql", - "version": 2 - } - }, "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "8abcc3f4f205afae84358660b95a2527d10a1f5a33fb6aa904c0c1280d8b6805", + "sha256": "31af95d5616973e58f6b1cd8f67e904ea113b08de501db6f1333f3a2d8f0add0", "type": "eql", - "version": 103 + "version": 104 + }, + "138520d2-11ff-4288-a80e-a45b36dca4b1": { + "min_stack_version": "8.18", + "rule_name": "Spike in Group Membership Events", + "sha256": "f7a1acc00197971798a07f9a57f898e0243b57560e884f046c8406641dc6cfb5", + "type": "machine_learning", + "version": 2 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", - "sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59", + "sha256": "6e7eb9b4bd752f098bcd645324f69a21db1395c5c6b2e4d1b497506d1e753148", "type": "machine_learning", - "version": 105 + "version": 106 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7", - "type": "threshold", - "version": 7 - }, - "8.13": { - "max_allowable_version": 206, - "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "ac05cb0b596f7532273a85d11c32fdb6302791693df41953a29630139fe66853", - "type": "threshold", - "version": 107 - } - }, "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd", + "sha256": "d4caebe0429481f647781c47fb6fbf6f2acd0c8c6c7810aa9b8ee1139d0dea82", "type": "threshold", - "version": 207 + "version": 208 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -1305,146 +777,85 @@ }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", - "sha256": "3ec2e506931ecd0b5ba1e027207e34901c5ac024f575d19242d7a03f5ee033f6", + "sha256": "7a975ed3dc65288e4c303da4e27b0d6b882309652f6a310d3b84f7e98292c8de", "type": "eql", - "version": 9 + "version": 10 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", - "sha256": "6fbce9547774cb786e35438648ca5a236089ce43936066235b21a006520def25", + "sha256": "0478424148c82cc80be2a4c3bd562d27f5a2e0ff70d1ce5a54dfec70d218562d", "type": "query", - "version": 103 + "version": 104 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "05723d7fde940cd2cc2663a56ee79b455405ca9d1e1270db75b986c5ef72717c", + "sha256": "de09f757cb1aec945488eafbb7e065534d9c04980737762bc29824449cc3a9a3", "type": "query", - "version": 105 + "version": 106 }, "14dab405-5dd9-450c-8106-72951af2391f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Office Test Registry Persistence", - "sha256": "3e44efbf96a359a35159414069ff36e12436779f48247e1ebb07a941605b448f", - "type": "eql", - "version": 4 - } - }, "rule_name": "Office Test Registry Persistence", - "sha256": "ef730832a93503b501376aacb96760534cb31876eed560a014670d79b2d03b74", + "sha256": "ed7a6cb08cabae8c1a90388b676bf157cf65988ba3adfbbb33a840e38d5661d6", "type": "eql", - "version": 104 + "version": 105 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", - "sha256": "fc2b301f6bbaa53417113b60b7a3c366d6f6c509954e72e27e9386b8b8585c28", + "sha256": "d2520144114404f1ff0d5ffd8144fa198385e2703ded4bbc297d0ff7dd32b8ac", "type": "query", - "version": 204 + "version": 205 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "c1c4d209cde3b94cd2f8c548ecdb34cb3fa679dd0b53e7fdede58f9d1556ead5", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "c8f114645f7f362fd704081bd1e07a79689640b1eff476ca39c731460729be8c", - "type": "eql", - "version": 212 - } - }, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "9b84185dd52ac21aec4f2a8db1583492782012ec7a3cf59ce9987512ffb52e0f", + "sha256": "50aad920ceff4fb344802b0b0ae5a50ed83c22ce8bcdcf5bf4b0574d90ab2480", "type": "eql", - "version": 312 + "version": 313 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 102, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", "type": "new_terms", "version": 4 - }, - "8.14": { - "max_allowable_version": 203, - "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", - "type": "new_terms", - "version": 105 } }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "b2723b3de15eaf38f608b269cd27119a720895d4cd72b126071f5f0dd90555ee", + "sha256": "bfbaf5364aea83bdcfb248eaec9ff4bc5b79869e69d3640153dde2ec44fe5fd8", "type": "new_terms", - "version": 205 + "version": 206 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", - "sha256": "f1e6f5c52e4c18b16f84c216103655718a11c24159fd88c9d53d7810f03b9fca", + "sha256": "0c35cd98e269aeccb1ed74605c7a4012bbb93356216b768d8427cb4a08f021c1", "type": "query", - "version": 2 + "version": 3 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", - "sha256": "c942ba35d01b9cb9eebfce159f6c2ef894b5f93d7501c1f04fbfe4f029914e25", + "sha256": "dcea415bbe180bd8af6d65459153f25d2bf47cb677fcc18734ec8c8310313434", "type": "eql", - "version": 4 + "version": 5 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "5590dc04999fc927242cf1926db4e2333087ea2de5e17c69677fa0ce42a76e5b", - "type": "eql", - "version": 113 - } - }, "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "48a21cf9c0af5dfe2bfe8c63b5a363ce108759818d65d6b3413ecbd1d0492b71", + "sha256": "56d19f1c3427c2e6cdc28cce7bc0cbb1a0135b41f9ad5c077da491d2dce59d56", "type": "eql", - "version": 213 + "version": 214 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "59e37cb962abea6a86b2a9384e1f08d2d036cdf4ab29173bc0d6e344af013204", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "d4a8b5bcd2a0a91c59da2511a57220c6075e93ea8e02ea1bbd8d32ce14c24f90", - "type": "eql", - "version": 215 - } - }, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "ceac041df0548aca97242dafdaeb9c690d4d47ac4073a6393c65e651869946b4", + "sha256": "0f592ba1359c8189505d2c04e26b4af4a9bcc6c17802bc124107e2446bc4993d", "type": "eql", - "version": 316 + "version": 317 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "0b2ebcc224d55592d6f4b75e83df6d80460d48ba25c8b07d71ddeb2e16fee539", + "sha256": "7e70e7c0f9cdfe5141cd49f2488c7cf40d2bf09ac0df4885489b5687a818ff21", "type": "eql", - "version": 109 + "version": 110 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "rule_name": "Deprecated - Potential Container Escape via Modified release_agent File", @@ -1454,222 +865,130 @@ }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "ba45931cd861307121631371d3ceada4c31f8c0df2f03e06f91fc43499cafeab", + "sha256": "706ab7644989929072c7b79a3536784bb30bc3ddaac4b14f18e793ad9b2b155a", "type": "query", - "version": 103 + "version": 104 }, "166727ab-6768-4e26-b80c-948b228ffc06": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "File Creation Time Changed", - "sha256": "4b13b87a19503b754f0e1168a58053e72b7ab57ed3f6b4fa1e85ca983050228f", - "type": "eql", - "version": 6 - } - }, "rule_name": "File Creation Time Changed", - "sha256": "96cb410b392f1a8774e854637ac35223c3f06af1886b4805a50b9337a05c3290", + "sha256": "8025c26f3babbd27f39b36f5184b957a35a582e428891b76638c3ed7be768467", "type": "eql", - "version": 107 + "version": 108 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "23b10e667366dd92f41808c9b01db2f62209ebea86cc67add8a43532a3341b74", + "sha256": "95cd57a0bd9a0873b27c948b06664f70dd51d1ec2068b6288ee0c419c23556fb", "type": "query", - "version": 107 + "version": 108 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", - "sha256": "ee11c9442b8e8b3ba41f33c3a39715ed346f2d770c4dc8cee36662b2214222d0", + "sha256": "7b6cb0f9ddf09c93a05f289751d7d0a46f9faa3f09282d4db4c939c1dafd083c", "type": "query", - "version": 207 + "version": 208 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "b0696bdb5caeee166adb282c9d5183cbe4347a8d2fed7807235f3e34d613d7a4", + "sha256": "7b7204e59553e9e1adfa425f3f37cb850a414ba85788c42a028f0a46e29987fd", "type": "eql", - "version": 114 + "version": 115 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "3cc36b41be0eac9cd7741554fb1bd65a80c0a77275abb17d58fd202b42c25c6b", - "type": "eql", - "version": 112 - } - }, "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "f0b9ffa215ff2cbd2e2a889ada8e94883b25b009557f7f572ffacebd45b15863", + "sha256": "708bb4a068955fda30d125771a2fe5b09854a0935976a0c849929719ba7618f1", "type": "eql", - "version": 212 + "version": 213 }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", - "sha256": "8ac49e7c12e9e26728ce584fffb95e858c0145cd1ff89099123834f39022652e", + "sha256": "8a9ec8ee3a774b010cc3338a8c32af41ff0809bd26db8d829e9dff66edc12867", "type": "eql", - "version": 2 + "version": 3 }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { - "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", "sha256": "6862e5d1dee36ec1dcdcd165a67f6c373cd83aaa5f0db1b63ac526b78d346e02", "type": "esql", "version": 4 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Unusual Windows Username", - "sha256": "e9ed01e74760cd8f6b5436fa2bf1017b75f7981365876ee0443e0bab995a0f27", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual Windows Username", - "sha256": "1e10d9ab500e362602268cac7c057d8f4200d268485ee4c70b1e1381d74f32a7", + "sha256": "d6e9247ec7d84885a9d611b1fda644b5f1948992c41a274f0bc533d976639ee1", "type": "machine_learning", - "version": 208 + "version": 209 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Service", - "sha256": "a1c9cbff26b71eb5194648a9907fd39e1504c7662a8f217cd2e9c099f9e24767", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Service", - "sha256": "63fc4e38fc33fd24ef301efc7a52d2781085a9dd8465d14910b075c4ca6b5023", + "sha256": "fc827f352d81955b34dcc45bfd02c0f855cf681088c3309f809c6de1b1cde244", "type": "machine_learning", - "version": 207 + "version": 208 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Suspicious Powershell Script", - "sha256": "fc63208d7b1218e72d90948342343c545aab84431421c2d3b6d81b1a925181a1", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Suspicious Powershell Script", - "sha256": "3bfa0053ceaa3a5923c2aeac1cbb923a448d65b83dda46cfc701cbcf37772899", + "sha256": "37408605a637abd30078b6b79c314c98bc1ee4d6bbdd4a50d376ec53f95496fb", "type": "machine_learning", - "version": 208 + "version": 209 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "219fa2a191fb555ae903516b407568cc9bbc7be95ca6f3fb302311ce94382f0f", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "b13eb00c757b1251104bf4c37b3a291ee5acc963ba34c008a8b6d8731a102b47", + "sha256": "4de457138a1e94113889935950e9652bc842e01dd7d514264d02171f29c2c316", "type": "machine_learning", - "version": 207 + "version": 208 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Remote User", - "sha256": "c2ce8aa3cd6b41359d2374f00b781728b1d6990960574e1d27d013e9a33cda80", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Remote User", - "sha256": "6e49cc6ec8fa0f149019eeb0d99bc587779e02711c05c54762667fb21676de08", + "sha256": "21aea41925792d39ecae9a498c18dad015599478e98badc8cbab3918004a275f", "type": "machine_learning", - "version": 207 + "version": 208 + }, + "178770e0-5c20-4246-b430-e216a2888b23": { + "min_stack_version": "8.18", + "rule_name": "Spike in User Lifecycle Management Change Events", + "sha256": "d466c889b6e2d39c7b207fd6aad26d98c2a23409e4a0666f5a69f5bab4957cfa", + "type": "machine_learning", + "version": 2 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "64deb3a7d35566d558e890c281946d23e332598949d863e7f3fbefa14896a901", + "sha256": "a41f68270991b59b52f0363bdd6c0ce6fc82a1c8c54ecc7e37df17d35e2567ae", "type": "eql", - "version": 16 + "version": 17 }, "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { - "min_stack_version": "8.13", "rule_name": "Initramfs Extraction via CPIO", - "sha256": "e91def04da5452836c00e38e6652e095e4124c1820f2650c10e07cd01e3fc61b", + "sha256": "f1fc4040cb437afd8efd9846673f0948ac10ed0943bfd03df6452248e14d3541", "type": "eql", - "version": 2 + "version": 3 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "3b12641768e2a47b26428daf4f845ab28c7dd839b86550febd738e1e8586d6ff", - "type": "eql", - "version": 111 - } - }, "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "897127ce66b9d6ef35af246c068852d99e7af8df437c3e4d98baa466d779a8cf", + "sha256": "b5d25e30ee7f01763bdf1ffb21ad80decb1fc1de1222bb8743748b32f9e05c48", "type": "eql", - "version": 211 + "version": 212 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "f20d9f97b235081744c25d793925b812e945e1e5e01719ce39cfcc0defb5b253", + "sha256": "44ba78fdbdde42f840876ec470f21bd895aa916fa96dddf5019e5191859f03a7", "type": "machine_learning", - "version": 105 + "version": 106 }, "181f6b23-3799-445e-9589-0018328a9e46": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "12f1a83fb96e68e2440fc75a664bb40ec93c873078e8e95f4e7ada4d552370dc", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "af9a371780c9a5d15b340de55265c36733b80ec3bd7ae69c38546b2bf617a8bf", - "type": "eql", - "version": 103 - } - }, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "35522252e970985ab70a0f4b89c64a7985895c75db81381345559495693ccc8e", + "sha256": "ee2fca12283f8ab18d80155a456660b16896619e6cb899c70a59fdd9f53dcdf6", "type": "eql", - "version": 203 + "version": 204 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", - "sha256": "300e205d2f05314cabd3ea5c9dc9fdc35ce1ee5211afd8f65d74a15e3ef0d8e2", + "sha256": "b40f8ae44e59416d12ddebd6d44462f91415a7466cb953d4adc49c3dd84a01e3", "type": "eql", - "version": 2 + "version": 3 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", - "sha256": "61f062813d6ebdebc0cc6698c7dcc7a975d9f3cacf7713f599fefb3a363a15bf", + "sha256": "2b7ba8d15ffa49184943364fa698da84d500e6512dff041d48e761fcd9a184e5", "type": "query", - "version": 105 + "version": 106 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1679,33 +998,33 @@ }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", - "sha256": "1f41f4ccb333df0f6e2e8c35cf140f6c0d2a9bcd69f6bcbe995c987bbe00a668", + "sha256": "dc1a22fc59476ff336b550e79841692a31cd1274f20e04a910fea3bab8c672ef", "type": "threshold", - "version": 3 + "version": 4 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "3624c2a233bea0d357eca3960733b5cd7bc6de43ac52d3c824553397d583e773", + "sha256": "116d604b7267253862dbd46cc7732bab7453d2939bbc4e3cda3f2df1ea49e856", "type": "machine_learning", - "version": 5 + "version": 6 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "3e0bbc97f6625f0f5294307064489d5cde380528cf838db84c6d84498961b0bd", + "sha256": "7f1034f49cad4bca7e90dab0969a711ce9459680c1cfba8aff62874e1468332f", "type": "eql", - "version": 7 + "version": 8 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "d831a2c4ab5f21f7320a3fc66d048b0b77a969c59eab238e78a8e1ca5d3c7d59", + "sha256": "4f85bb1203309f2cba6c37653ececc282ccf2c1c93b5e8b01975c38d9bf3ea9d", "type": "eql", - "version": 6 + "version": 7 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", - "sha256": "eb75ed2a02885be89ba411760bb066cdb4f58f77f25e138ab75b9eb72226030c", + "sha256": "b6e81ad7feee565a92927f62b6017b47cb33e144f6842e0f3d0774b77fcef213", "type": "new_terms", - "version": 2 + "version": 3 }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", @@ -1715,15 +1034,15 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c", + "sha256": "31486e8ba65dac1f3b90ff465c8e99d4a15fa22ad642c0d07a6f0510cb980994", "type": "machine_learning", - "version": 209 + "version": 210 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "2a4b88bcda39f3627856cc76ad43b699768b3d1cabd2d7ed7335c991b0466857", + "sha256": "1c15cf76c576203e014d26eb84b2646d812a43967079187b263f90aea27decdb", "type": "machine_learning", - "version": 5 + "version": 6 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container", @@ -1733,542 +1052,271 @@ }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", - "sha256": "f7362735f6b890396d8a39feb56c68597b92b95b75576e198efa44353fb980a4", + "sha256": "0606e67eba3285d0957fb474ff1afbb4aaf3d2e5e7a1aa3d81e4360b8ccb8b36", "type": "query", - "version": 103 + "version": 104 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Execution of COM object via Xwizard", - "sha256": "f6391e8f5b0619d0a9d9c44f7eb9fd4ee84d804dce2a33222731c4d7f110975b", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Execution of COM object via Xwizard", - "sha256": "8e04dc1449042764a07c9fc2051bf7a5c8d58e05bafa41e5eaa68ca6baeada51", - "type": "eql", - "version": 213 - } - }, "rule_name": "Execution of COM object via Xwizard", - "sha256": "c65c9419a9ac1a778ae51ad7d033bd3775009b43563844b80f984ff2f2f64e45", + "sha256": "4b46dd6471b97a05f0cf636836374f3713f0de71bf80bb947ff8533746ac2dd2", "type": "eql", - "version": 314 + "version": 315 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", + "sha256": "c0cf506b6d006d80c2227023cf48fbe7fe53df4eebbbbff92471c64db11625bd", "type": "query", - "version": 209 + "version": 210 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "User Account Creation", - "sha256": "1046be8b577da52ec4ae4f06bcbf7ac7e32232c0e2d407916cb0474c8add7849", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "User Account Creation", - "sha256": "142471dd697b20805b6879a80f98136fb3c2b5519aa353e6f1ff95700a4f0b04", - "type": "eql", - "version": 211 - } - }, "rule_name": "User Account Creation", - "sha256": "3b110982e7dcff42742a98ac233650c6dc58347d5faf2db2f46a849fb45b1bb2", + "sha256": "afd5a73a55a93113aa9cb982a301e5886f4be9f4bab0eb7f81c51daf4525638e", "type": "eql", - "version": 312 + "version": 313 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", - "sha256": "34b078db5943919e82a752fb623100ecf49de4400eb5b5af0beb5dde7933f97f", + "sha256": "497ec4070f9b7bf1a946f2cffacf029a486baaa133531ce0a9d06aa1601e34c7", "type": "eql", - "version": 4 + "version": 5 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Connection to Internal Network via Telnet", - "sha256": "1bc65565de45f1eff32df65b75aff663321aa0ebe9f25ab4bf86a1069147f03e", - "type": "eql", - "version": 108 - } - }, "rule_name": "Connection to Internal Network via Telnet", - "sha256": "577e427fc64582ac236a077a7655689420ac05895657991b9b10c235df191853", + "sha256": "cc363313c03d823e463b50c4eba74b6a7d02f3793ee0ee844d5c4a2b9e5174b4", "type": "eql", - "version": 209 + "version": 210 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "91601e89cb6509b662c58081c0bc8819adcf3c883bdc11c2819cd87ed1ce2996", + "sha256": "76dc9e6d5e532193e952df5a9678c01c0a025114c07468e52d2666c1ca148eee", "type": "query", - "version": 207 + "version": 208 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "7356e96ea1f088a2fd1b9412babba3ca73d9331aedf84b27f6fc8efe96edfc04", + "sha256": "18748c0862efdd4beafcd285f7fb86a2e6b3e2d68f6b0e1585d1d41c79a8fae5", "type": "eql", - "version": 12 + "version": 13 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", - "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", + "sha256": "b6b7a1acb79e3cfa92ae6dbd972f01f34291cce3e7dea99f8fe289748abbc1e0", "type": "eql", - "version": 2 + "version": 3 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { - "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "9b82cc17d19e29ee2cba453d4fb97352ab4f1e2f8ecfe3d9ae2471f5f842509d", - "type": "query", - "version": 213 + "rule_name": "Microsoft Entra ID Illicit Consent Grant via Registered Application", + "sha256": "e304dda34f50a34cd1e90cc75bfe630becd92789053a4987ed3172f762ed7206", + "type": "new_terms", + "version": 215 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", - "sha256": "a216a3ce8647e67413fe83b87ca92054c13d98146ee4c740fbc79435459adb1e", + "sha256": "6f2e7d99514612ace49886dbe4679b9a1314d39e679707bff5ed8e24b0a24e1d", "type": "eql", - "version": 118 + "version": 119 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "250fb7d71a7e245ddced159b3f88b246c5ab4e89708f3130c7b27c55c998a33a", + "sha256": "73b24a419b287f27c9786e63adb67f8fb43a042a73436a83b7f720c85be6fedd", "type": "query", - "version": 103 + "version": 104 }, "1ca62f14-4787-4913-b7af-df11745a49da": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "New GitHub App Installed", - "sha256": "5409f401ac786bdadc45606d8d7f4b4c537367d93cf5555278d620c26f984168", - "type": "eql", - "version": 105 - } - }, "rule_name": "New GitHub App Installed", - "sha256": "e00feec6890b2361d7a10a06e2e91c713d0f28c866005e9e1f72610f0dbea4eb", + "sha256": "033da03ba6bcc9027e6573266d2fc03badb1ed3d5a1ed0aa495a57a23f05eedf", "type": "eql", - "version": 205 + "version": 206 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "ce97e8b346f6e7bba7e209a95c49253e1561ae4cc80a170c9ae2e23ae6f36dbb", - "type": "eql", - "version": 109 - } - }, "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "26cde5fd51100b2103cc8ebd9ffa4347f2529e861975e6d4b22770ff4e8f244a", + "sha256": "25aee1babc29bb7fa246da20f300cabfe7f268a54910ae0593c5aaec995ce40a", "type": "eql", - "version": 209 + "version": 210 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 104, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", "type": "query", "version": 6 - }, - "8.14": { - "max_allowable_version": 205, - "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", - "type": "query", - "version": 107 } }, "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "7709f499f3a03dd5ce65351e23a1a9959dc5139e8f50d72015df6ce2b0a3233b", + "sha256": "2a3d353252383d6e873229abf4a91f59ffc6984e4345aad77cc91476b3880f4e", "type": "query", - "version": 207 + "version": 208 }, "1d276579-3380-4095-ad38-e596a01bc64f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Remote File Download via Script Interpreter", - "sha256": "832c238b226f2b7fbbc201338e1d0dfe12a9a7ebf4a6263a1f038ab6019e0e6f", - "type": "eql", - "version": 111 - } - }, "rule_name": "Remote File Download via Script Interpreter", - "sha256": "ada7bae223693811f424b80ca156f7135da309f54f39186bed4f022974dda573", + "sha256": "05471dec421172bd0a2eabcdf4454017f3ddd79477330de791fd6da429b49a5f", "type": "eql", - "version": 211 + "version": 212 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", - "sha256": "16b6264718403929b906f7b79bfd533c83024fbc7acec96ca185dd3cf5d3eaa3", + "sha256": "c396a65b2dce29cf56d5b600165d7fc46890e1db2a9b7e883340b7dc7aa1d75f", "type": "query", - "version": 3 + "version": 4 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", + "sha256": "bcafc0e2e38941ec8997d3eda6ef2087192e5a72e9833e269491427ed8e1be46", "type": "eql", - "version": 108 + "version": 109 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc", + "sha256": "f2cdf8d87730e82ff6ce928ed936959687cf6bc62ee3f6128443edc6d22a1491", "type": "query", - "version": 109 + "version": 110 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "56bbd2e4cd59a4c2cde86cbbbfcd9e0afc33c8305d71bab718500435d3a78c7e", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "34fb9c8b0fd50e111ac85f4594d6ea57df7c600c03164d83b6e2485114ad49ce", - "type": "eql", - "version": 212 - } - }, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "07df6892a87587ca8babc6706f4c0106779b8517b3fef2294f5eb30ea9491d7b", + "sha256": "096c45cd85a9279e707a502f3a6fb3f1d17f7f87a4c8192edbc7a12224f35ad3", "type": "eql", - "version": 313 + "version": 314 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "8ec48ccef8861234829d698a6d82615fdf25beacab841fc91cc525636fdf4bd2", + "sha256": "d0f5100bb6cb1bb1b55d212dc2bb4a6da63e7f05f439d130a7eafc524cf3ed87", "type": "eql", - "version": 9 + "version": 10 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", - "type": "eql", - "version": 108 - } - }, "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "86f5fcf575f0f6c1addf031e30cf8e4bf984916f511300021ddd5d036bf4792d", + "sha256": "c1ac2d818a1fbae8a60da275745d9d107afdee6f47d06629486cec82c190d953", "type": "eql", - "version": 208 + "version": 209 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "aa02b181f4f9a4df3460586733ba1ae7481ed321e4ef4e2ed3b418030ef65bc9", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "98f03ae22b61103956c3dcf4c477d3dd6c5da89a7c24f1e69a4a6f5f96573033", + "sha256": "4b607258df5ba8b5d415eb411fa47637bd4e0116b15f80c41f08eae8346c6385", "type": "eql", - "version": 106 + "version": 107 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "7efabb7cc18356aa60fe4c271bef0144b303a454cd4203ec421a5a679a75572e", + "sha256": "722d66ddef341ca8d42547fb128df203bd35d8b09b4a7c1e6d56f179f968ee6d", "type": "query", - "version": 210 + "version": 211 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "cacd567d5376f99af90e85da629e9cff9118851b3e35ce7448c89ba66e5c1407", + "sha256": "5d33301671209f42db0f2e3b569f219f2bf6d6f785baba3334dd3129caaceb81", "type": "query", - "version": 103 + "version": 104 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Creation of a DNS-Named Record", - "sha256": "4955aaefda636b2420e5116875b69def93dd7fd67397cb2a0322de00b946b0fc", - "type": "eql", - "version": 5 - } - }, "rule_name": "Creation of a DNS-Named Record", - "sha256": "601853c2f6f8d5d47352dae612917238325b67762d8659f901e4a21c832d90f1", + "sha256": "37afa233fc2c9d30ecf40083db404064b857e7d645cfb69ece9d6fc3850cde46", "type": "eql", - "version": 105 + "version": 106 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Creation of SettingContent-ms Files", - "sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39", - "type": "eql", - "version": 6 - } - }, "rule_name": "Creation of SettingContent-ms Files", - "sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6", + "sha256": "3b073ab0d143a185dce5ddda7ae408ab723a06e0222e76a3f2cf84d386a56403", "type": "eql", - "version": 106 + "version": 107 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", - "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", - "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", + "sha256": "9eb608b08bc7d2d0bf6ec4457f430f28216a7439fa23a64eb50c0b0ec1063df6", "type": "new_terms", - "version": 204 + "version": 205 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", - "sha256": "72276af57d19261776e819edd8d905bd7c5374108d27e9728922200bc839ea34", + "sha256": "ae3d17abee43d308f690dcd4a1348901b95c080120f4f35521609a51140f7175", "type": "machine_learning", - "version": 105 + "version": 106 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "021df20053fabc64b24430c7e4bdb3fa187c6f00b27139bffc24759c4e97b817", - "type": "query", - "version": 11 - } - }, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "440ef66551ac7e38e741b7fefff772fab1e8807ba1d7129dacdf19a382fd06ad", + "sha256": "f9b06694d9a1acb836a95a3b3b88c9d7dbf6694328e01c89dd7da7adb7e5e5a0", "type": "query", - "version": 113 + "version": 114 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { - "min_stack_version": "8.13", "rule_name": "AWS Signin Single Factor Console Login with Federated User", "sha256": "67652ae55e23dcc67c6e395bd4b6354b74840c3c0ef81b0abe48e5f0fda50dc7", "type": "esql", "version": 3 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "c0c0dc9d02782e6a4e0945d5a4067d3508deaeed48634ba3aa3bce892de5a9c4", - "type": "eql", - "version": 5 - } - }, "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "d89337c9d0ba87570647603b26f42ac3171fd6d9640b10b178348bff7117b07e", + "sha256": "8caa9784691156e9f70f312672d65357d7c2209ac243ae2befb1f39911161f33", "type": "eql", - "version": 105 + "version": 106 }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { - "min_stack_version": "8.13", "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "d9e8a7e51aa77ead7ce1ea1fea343c35fdb7aa4cc92450f6ebad5433afbc53de", + "sha256": "84b3367df89a2d4079d1bbc7e049e330439e0da8c729121ce82dcbd9584572f6", "type": "esql", - "version": 1 + "version": 2 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "7e9aeb7a0920e68d445b655d2a0b447b01aa117624ddd9e02a8ad4840701900a", + "sha256": "79a7054fbab786df0fe148ad8bcd4430adfaff7be7312a1d43c737404a23f941", "type": "machine_learning", - "version": 105 + "version": 106 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "4fefe2cc790c9b5fd8afbd08cfd7bd28ee6f50dffd877ec1400d81c1659bcc36", - "type": "eql", - "version": 114 - } - }, "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "b8941a4bd23e47360ee8b1a98140c573efad95250ad8e4ff1315da0b83ee3d8f", + "sha256": "5bd5f497f9621f244e203644c676f18335eeae54a78f94382d24c1796c59ef65", "type": "eql", - "version": 214 + "version": 215 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "e43231e171e4e726c838f080bb14bcde8a580af0997b0177b568ebdfd462e290", + "sha256": "7c4db2799c89ee449c815b82891485079d5833e668c3397ab35496c6c65e1c04", "type": "query", - "version": 104 + "version": 105 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "acfdd598b6015547f15e05e3ee2dd61dec13a52e09ccef1f154e133678cb2e8a", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "891281c4090da3be8a47c99999198fb67201bc47da9b753cd8cdf6b2107a4f86", - "type": "eql", - "version": 213 - } - }, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "2c8e7933b55726a6bd967fa3c6e4ecaa207c4acd5574f5970995d8bc9b341746", + "sha256": "4aa4f2900dfe2eeb1731f596a880f5ff08fb31a720c7c6e2964f38a3df7a35dc", "type": "eql", - "version": 314 + "version": 315 }, "202829f6-0271-4e88-b882-11a655c590d4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "c647d352170795fda0533a278e5c93824030a0e2391afb7d858ddf8fcef50ea3", - "type": "eql", - "version": 4 - } - }, "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "5349e739a994b977cd138844e8e7e85da55971fb9e45fb3131eb92be33d3f123", + "sha256": "9207ed8664ffd8f78d149b2b93e5e74d7e37aeb81b63d796dbb92ce6f593129b", "type": "eql", - "version": 105 + "version": 106 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "1e793bac94cf744476de8ec10572545b6000ddfafffe37170ddb870c9b5c8d94", - "type": "eql", - "version": 211 - } - }, "rule_name": "Creation or Modification of Root Certificate", - "sha256": "4271caa450f1e1e8420eee5f49d3481396358bdee6fa3480756e5ce91adde73a", + "sha256": "2671aca56ddff77328b8efe78f8668bdeb8aaaf5ba6dff6afd7ebfb740a91134", "type": "eql", - "version": 311 + "version": 312 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "25cdfe21fb209fb7941dd020fbcfbadef29f04aadf5eb0e226efda9c35351231", + "sha256": "fb5501fb4b765e6fe89e17970a73b6bf57da2dfbd9441628cfbb792c96544ec7", "type": "query", - "version": 207 + "version": 208 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", - "sha256": "f2563e3a26b24e637c8ac73d1f8b2c0a4f7fde0d81cde5ee33392c65892d9ccb", + "sha256": "baa9b46572223250e80f58c1ee04fb3164cc24f1ac0eb6e2bf5b7e05a46221dc", "type": "eql", - "version": 210 + "version": 211 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "69246453362e5ca8115d5ebc4d54e31708b17fca42e8f1c3289e2f21e27e0982", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "b3cf96a675e8bce7a335b93a6cceb02c5a7c736ced121dac5662c305c9855738", - "type": "eql", - "version": 103 - } - }, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "99ed70fd9f47a95ed1240f5cc52f747dee59633a0c745c4efa9ab0127865b48c", + "sha256": "4e735252e2a78246b652a18b5e1a5a500e5aa2fe85dbf7bfd0acefd0a8183ece", "type": "eql", - "version": 203 + "version": 204 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "c71196cfccc34b4c3d768cc7220422fdaf2d6163c21dc2b1f3c8d1616a87dfb9", - "type": "eql", - "version": 113 - } - }, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "72f43c85a5250cea55570cba448f42de38ff7b2fb9730edd8f6a78a7cc05fd4a", + "sha256": "b0d1c12556eb4b1dc21a62efff032263fc1861e0553c3d8261b2a8329b225614", "type": "eql", - "version": 213 + "version": 214 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -2278,61 +1326,51 @@ }, "210d4430-b371-470e-b879-80b7182aa75e": { "rule_name": "Mofcomp Activity", - "sha256": "018833f79c00b6d515e06c22cbe67163ed3e39765697b70a83dbba6a933d13e3", + "sha256": "5c93aa3273caf9d0ade048674d987a581f01ffea785a0ba2a6485b946c437272", "type": "eql", - "version": 7 + "version": 8 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "SNS Topic Message Publish by Rare User", - "sha256": "ec62c61349b96117c332b5fadac825476aa3265486a5bbb85288ddab4964f423", + "sha256": "26fb195d6c4e386857c06e00179d2a869a4d633acf1e2a1183a638389f57b558", "type": "new_terms", - "version": 1 + "version": 2 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", - "sha256": "0f97f4ad5936052c4dd01aa0c3132de5f06f7a36be6192e1714f2732da113bc2", + "sha256": "8e0bf441661ea2933b3db40f54201edb802f8eb393e9140b8a5af775461875a4", "type": "eql", - "version": 5 + "version": 6 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "83511d6659289dc4e5a568143d268908603bf739947cd0d971cfb051a85451b7", + "sha256": "c3689f3fd539f2bfe1f40a969c2da87dd7c3a29173a6e14dff46c6cb09d12b28", "type": "new_terms", - "version": 7 + "version": 8 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "39e75f704730200ba6057b7687a63159e2080003d55f8b8e6217740e487ab59e", - "type": "eql", - "version": 9 - } - }, "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "7d93d723489d1f6a59e139b58489ea66daaaa5a601a1f03527f4e18f249bd3ac", + "sha256": "4840cc97ec4abbee5460abe5d900d92ce721428fc55f516b8a911ebb3ed2307a", "type": "eql", - "version": 109 + "version": 110 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Modification", - "sha256": "3305c5a0f15096a7bb8b0818b40de617448029c1e701c89f35a611f31ddd9f0d", + "sha256": "f10f6516773953f128a324f80c6f86288a3590f502707b10929775a26875ead5", "type": "new_terms", - "version": 207 + "version": 208 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "SUNBURST Command and Control Activity", - "sha256": "8f0663314dfece6334c90619e9b9e2f5cee01e01b4768df72c1577b166910b24", + "sha256": "5c79684e305c93b8855c454e42d1ec39d0009b116b79fdf30910d1feacb0571b", "type": "eql", - "version": 109 + "version": 110 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "739bcd7a637855f9186eb263bcd8107c93d83f7790c1ea4fab07b69046503e46", + "sha256": "dc17d3be0177ce660e3069b441e2f3992bedfd21e74db5a401fface89779822b", "type": "query", - "version": 208 + "version": 209 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -2342,25 +1380,15 @@ }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "496ed866c8272f94c11bfa2277bde15dbfa2efe47873a8ddbcbbe832eb805693", + "sha256": "2c5a2e21b4bdb4c581db0cfa5179fe783a62321e2e2ffd13b93cff8e7313b1dd", "type": "query", - "version": 105 + "version": 106 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Kernel Module Load via insmod", - "sha256": "6d909c9373be54b6dc83f2c1d0b5416582fe6dbf4206daf4e496410ac5913aec", - "type": "eql", - "version": 111 - } - }, "rule_name": "Kernel Module Load via insmod", - "sha256": "f32774ffb6275cc6e21892bde0346fec8649a7b12e62823bc9c28ecb5f7291b4", + "sha256": "d64ad7e6a32647faa9b39e25e5ef1090e535cfb2da1a92dd8f2eb73e5f8cc05e", "type": "eql", - "version": 212 + "version": 213 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -2370,26 +1398,19 @@ }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", - "sha256": "6206107d6e66665a64ef46d0bcd7102570f88e6977651000f2609ad3cc6e8b4d", + "sha256": "fb5702335fefb3bf02ce0bbef9d60ed06d8c75a5f5a90c8b285d50ad427d5ddf", "type": "new_terms", - "version": 4 + "version": 5 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 102, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", "version": 4 - }, - "8.14": { - "max_allowable_version": 202, - "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", - "type": "esql", - "version": 104 } }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", @@ -2398,170 +1419,88 @@ "version": 204 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "New GitHub Owner Added", - "sha256": "002be9292a0806831cffe8f7c1ae8704f2aba19ded7a11964225cde1c263c851", - "type": "eql", - "version": 107 - } - }, "rule_name": "New GitHub Owner Added", - "sha256": "a2e44a9352982f9a7fab91d7a6c0ed56fa52f09663f20c41c246407f643bb81a", + "sha256": "743a06d23466c62b648a1d4a5fe3d98ffd397019e63fc64ccb2aba90b143e2a9", "type": "eql", - "version": 207 + "version": 208 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "9a03061d1c7d42331e54fa8c990602900d110a67d95d1245e44eae86e42cdc90", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "9e4c99a01ff339552587a57d476760b6cdeec2634d2f26b6d801a2f3baeb0bd5", - "type": "eql", - "version": 210 - } - }, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "77d41e72a8e9b4a7bbb7fab3c40167833d4e87d06b28d8e465774750ef5104b5", + "sha256": "a9b8af3c80380b44c76490071bf92fe3d2e97a26722b7ec5843dd746d715b8b8", "type": "eql", - "version": 310 + "version": 311 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "099be59655d3f1d35382b882049816c2c0570633f5d119e1ae6285bf5d5a901c", - "type": "query", - "version": 5 - } - }, "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "75e4844865ebef904a98f31b4021a2423b98a9e56a10e931089cea0ea3821cc7", + "sha256": "fa62a3fac88d4dd23d023356ddcb84643a548f936291d030a2c415ea77c02f9b", "type": "query", - "version": 105 + "version": 106 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "0fee3ba7e3d8302fa7bf7fe483672987cabfa3cd38c2e532907b1b788f7c8260", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "5539b5852223d4f71fb0ca5aca8622d8933016111d08f98d0bed0b9f804ddf7e", + "sha256": "3d1564c34461378f809dda92957c9c8fa1aae87d7c2d034d7c1b090de1885145", "type": "eql", - "version": 106 + "version": 107 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", - "sha256": "74fc51f05798d86c079a4db56ebd754908e541d5391fb639a014358bf4da50f8", + "sha256": "e1578b4b545c5b689dddc8c075ecef31e20188050608ee5720297376782511d9", "type": "new_terms", - "version": 7 + "version": 8 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", - "sha256": "299b97cbda715b5eeabc7800ef5fbdd230b83acfb8b38ff4d6c1f1e231fe8185", + "sha256": "4badb1a4d3636bf1058525c4993d63a558aa0a8d591f98bbafa93c9fc8fc1319", "type": "query", - "version": 2 + "version": 3 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 104, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", "type": "query", "version": 6 - }, - "8.14": { - "max_allowable_version": 205, - "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", - "type": "query", - "version": 107 } }, "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "3686340ff7f23094109815bb3ff499c3c9d5feb46b8ca8bf9dcc9059d295a28e", + "sha256": "28804d84b2cc66a3a0455902412799c1ac3d4f6a046a8a26993b072c8f490e36", "type": "query", - "version": 207 + "version": 208 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "5ac2632c3e48650d883c521af7ddf3ee85933ed2b90dbb2a8785db3e62378ad5", + "sha256": "aeff88668dd292d892d3573fc5ec4988ea0ae9bea7edea5d05529a8865cd2388", "type": "eql", - "version": 8 + "version": 9 }, "263481c8-1e9b-492e-912d-d1760707f810": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "54a0ad6f86ecdf068b1aae65f14d158a4f15e61b09a082762d2bd3413455bd6d", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "2985960617b321f48dd8601a1a8803bca75bb670250579ab023076cccb62abbd", + "sha256": "4820f5fda190db2608447f5356d919a9986a0110ded08d29c0c7ea2ec676f246", "type": "eql", - "version": 105 + "version": 106 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "9c1500534b794aa60add9daf3da3805ce5f70b117a900faf565c911764fdc73d", + "sha256": "12a15949af4c39efe03a88d3fc4edb55737676a5dcb3679dde2fbb826eacfd24", "type": "query", - "version": 103 + "version": 104 }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", - "sha256": "8b8ce9fd3c322d65ab9459337f4a67256c7d08be0426c6825699f4fcc4ca4659", + "sha256": "f9b68e3c101cb592b8a0c6891ea974cb9eb0169147faaa3e35abf74e5f06cd5a", "type": "query", - "version": 2 + "version": 3 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "4cb0180da3ef6e0e18bd152032578629a162d39c81b679998254e1e96d7a7a1e", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "04cf4724c581ce8d3a98423140537e39f236a8e0f13794cde43219b0cab63273", - "type": "eql", - "version": 214 - } - }, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "8a1961e72e2bd40e50a0aa2d9798a0fddb3d6b24b4c0d0272eacefc88d9bb15c", + "sha256": "b931a3d25114789053dfb216d2b0478e83fe30035f9274901dda5d573979f28c", "type": "eql", - "version": 314 + "version": 315 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { - "min_stack_version": "8.13", "rule_name": "Unusual High Denied Topic Blocks Detected", "sha256": "fe10ea745cf3203f237c4b8a40c63e9cb9d364c796bf52a2377425c3bd013171", "type": "esql", @@ -2569,164 +1508,100 @@ }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", - "sha256": "57a89e53c08841ce4215ee3302b31a874353bbf9ea14737e9788165df500f4d0", + "sha256": "24c94c4808dc91078e934262fcfb9083b941cf53595ca93873d27843b91b05b9", "type": "new_terms", - "version": 1 + "version": 2 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Potential Defense Evasion via Doas", - "sha256": "5a94f36cb64d23ad01b8c1ffe0cbe7229007da049faf46d3b1076badcc0a3714", - "type": "eql", - "version": 2 - } - }, "rule_name": "Potential Defense Evasion via Doas", - "sha256": "aeeb4b372fbfd18ee0dfa78606413a606d6bc8e7bee480b01504cbe103fe8006", + "sha256": "8e0a1191d558a091e71a1f9b0d01ec54ad438bd99bfea9fe279b6eb1028c245b", "type": "eql", - "version": 102 + "version": 103 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", - "sha256": "bfaf73bd5525893100c9a0593503ec5113aa3f61db2953a685aebf429b142390", + "sha256": "4268d31b3e250506a3b421b2ad76d3008b95b0e2eca2cc188571620b4e4f8223", "type": "eql", - "version": 8 + "version": 9 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", - "sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7", + "sha256": "65e85a729d7a3f5ca2436ff4c1c6e074081c31c68ec64454035d88c92fe2e1c0", "type": "query", - "version": 105 + "version": 106 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 308, - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "d41060acde6ba44c9fd538c2c2169114bcdd473a35332389b5cd82e9ebef2af9", - "type": "esql", - "version": 211 - } - }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59", "type": "esql", "version": 312 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", - "type": "query", - "version": 6 - } - }, "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "7968dcf6597d447a945c7445f46e60b9c60182148cddf51f04392d3a1650b46e", + "sha256": "3251b75a04b52bfd1a16dc72848bd8dfa7ae4429e5478325c93c4e28ef2f3b3e", "type": "query", - "version": 209 + "version": 210 }, "2724808c-ba5d-48b2-86d2-0002103df753": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "63d9ec6b0b8f754c3d04d1b8509f7978545110c21c7cd36b95629e33e8327e06", - "type": "eql", - "version": 6 - } - }, "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "0940ad2254d8e550d0c01bf6a647edcd02990c8bbae6b9ca4b17522ae43f803d", + "sha256": "36a90d5c419868d33490ae93841308be77277e01d2a56b06b8009bb7375a6cf6", "type": "eql", - "version": 107 + "version": 108 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "45a1f7ed44be930e88471db5a5342a95b57a72bc185ba59c55fe89e7400fc69f", + "sha256": "ad65c639c9282d4a84c57212c900694af16d952dbb3ac33afbd77718de3667fa", "type": "query", - "version": 207 + "version": 208 + }, + "27569131-560e-441e-b556-0b9180af3332": { + "min_stack_version": "8.18", + "rule_name": "Unusual Privilege Type assigned to a User", + "sha256": "76566a0b3d0522a2fab08c3a36c299ef8d8806114de8e1af33ad350102f9d27c", + "type": "machine_learning", + "version": 2 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "21c8229d021bc8b4ae787107ff45217ab56d52e249857ff17e0a4f51ef3c7f85", - "type": "eql", - "version": 110 - } - }, "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "5a0f9b9a7ffefc4f2658c7b3637872e4beedb55b3e26d5cc76e3bf45f89cba0c", + "sha256": "5abcc4a23a78dfc3c6121a547aa8b7f60f13d1e0eb13ffe84bffee3402eb87e5", "type": "eql", - "version": 210 + "version": 211 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", - "sha256": "56e2aa8538cb1bfc6628887e820d427e37754644260ff65a94d8b2cd6ea08aa2", + "sha256": "6f0e35c10120a48896bb215bf98a408ec499c4dd9b5ba7950885fc28e6933376", "type": "query", - "version": 105 + "version": 106 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "72cefcbe9406dd477e621a600dab722c48420a443a88f1fe2afb43a0cf62af8e", + "sha256": "78bafc98d7c5fe4308bb404a5b81469cfb311bbcd457db961fa39bd477a2c61b", "type": "query", - "version": 207 + "version": 208 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 215, - "rule_name": "Account Password Reset Remotely", - "sha256": "fb5aa2394d8110f0ee46049a6b1ecea7a58a015560ea9e83bc0a7189668b9a9e", - "type": "eql", - "version": 118 - } - }, "rule_name": "Account Password Reset Remotely", - "sha256": "137bd2d87af18453725653508901c2d8ad9bbb67598c3aab9cb61849bdd9e991", + "sha256": "2cc63514365ea19a6597d1a779d18286f8d089ec99085c90a6ead7d44057d268", "type": "eql", - "version": 218 + "version": 219 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { - "min_stack_version": "8.13", "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", "sha256": "138552f6df8aee3e8ab2164631ef74888c7d0297c012bbd6ac9ea1c1a37ecc46", "type": "esql", "version": 3 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", - "type": "eql", - "version": 111 - } - }, "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "2b775cfcd03f8ddcaab836d20fc03e2cd95cd89e3e8e729f6f6ea92f1e16bca4", + "sha256": "6b3fa7dd62fb5ada56ab9663e0b8a2d42f0a8d40aad571361b1721b4046a17ec", "type": "eql", - "version": 211 + "version": 212 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "c5975ef9ab2cb8b6055ad6bcc0d785f845ed553b7efe8c2791515b7f349e860c", + "sha256": "ea2ff866a53552d5f6b37d8fb6a24a980d6d123a4b964b5f369a83bf3fb5bbb6", "type": "query", - "version": 104 + "version": 105 }, "28738f9f-7427-4d23-bc69-756708b5f624": { "rule_name": "Suspicious File Changes Activity Detected", @@ -2742,36 +1617,26 @@ }, "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { "rule_name": "AWS STS Role Assumption by User", - "sha256": "953a7ce35bfed2b2ce4beb94c883fdfa3e7d04f037d8ffa09fefc2a054676072", + "sha256": "b82e2f2ed2e33eb9449bacd336894fa333cdb0803b0631db99bcdae123d74c67", "type": "new_terms", - "version": 2 + "version": 3 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", - "sha256": "ae10c2c01b91c5fc780ab3a9bbbfbc1435107aaee26f7bc8fec595151488c706", + "sha256": "4d9d91bff7cd3a9e6253b4646a0590556d450359008a5eaadbab871cc627a54e", "type": "eql", - "version": 4 + "version": 5 }, "28d39238-0c01-420a-b77a-24e5a7378663": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Sudo Command Enumeration Detected", - "sha256": "60350833224cc7d578b57e68377f5c6eec36459f3b1219b27857d2dfb83c1dcb", - "type": "eql", - "version": 7 - } - }, "rule_name": "Sudo Command Enumeration Detected", - "sha256": "84fc475479d15e3bc80b09e99dfac0c0b49c2a5edcfc3219f1ab09100b7d1555", + "sha256": "e16cea970ba4bcc3bbeca483cac76a1feb2fb95fa063ead468b038a6f42e9873", "type": "eql", - "version": 108 + "version": 109 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "min_stack_version": "8.16", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 104, "rule_name": "Privilege Escalation via SUID/SGID", "sha256": "6ace4761c9708044d26fcf7337460b8479b0c47a4aad784406a4831f875a8ea1", @@ -2780,106 +1645,55 @@ } }, "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "797faad25f8c06e7e0d08b4a64fc573c931a70e7298ba5e64dc73d3a765a59c6", + "sha256": "ac19f2fdac91549a8dda7914281d68603b4c274a139c37255a70669a67f0c1d5", "type": "eql", - "version": 107 + "version": 108 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", - "sha256": "871b644ecad8dbcc497878dc7e8709971fb1b44536be0fa5cd97cfb75cec1082", + "sha256": "8c7a1bf5af61fdc14026657a72b34594acb99ea47239291ac85895e2651f1e0e", "type": "eql", - "version": 6 + "version": 7 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", - "sha256": "3094fc894dfd934d136e44472bb85b39b667d39ae1af5bbdecb0def1e9ee08b3", + "sha256": "57b2dc1864fb167910db77d02fff97458948e36ef21bf4d4c4b270f73ca83b67", "type": "query", - "version": 208 + "version": 209 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "d0e818d0f2ad9ea6d298e000b8823c6f9fae9d4ba58fd7d4a769d192a825bb7d", - "type": "eql", - "version": 116 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "25a8a5e36180af284b27b2a98e81479ace44455516f3093491003f1c052b247d", - "type": "eql", - "version": 216 - } - }, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "89b1b7dceaff3f36997ec337f2d8cef3fe495d208678da2825e4ed3ce0e5ea3e", + "sha256": "9e111482e5157563264056da5b3666baf56d9097dfa585e2ca2853e10cd720dc", "type": "eql", - "version": 317 + "version": 318 }, "2917d495-59bd-4250-b395-c29409b76086": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "28c64115f2234bf5d1fecf8825b0c7f3345d8785463039b6e20726ad83f4fae9", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 414, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "086feb5b95a941af5edb6a8cda1844381dc9266800897730bb4c7360a6c48c51", - "type": "eql", - "version": 316 - } - }, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "69c08ef4a5f787e70fccfd3ec58af92bb9dc8c37e8c0371220c0a70bf79f5b7f", + "sha256": "9d504899405ab8edb97b379bebedf572403f11759bea65ed34bc493e907502bf", "type": "eql", - "version": 417 + "version": 418 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 310, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "74bf38098dbce95a0c1c95412e8fba9a3f5532a02c1838b1198a971eed59d253", - "type": "new_terms", - "version": 214 - } - }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "f4a3fd4093cb4ee803a7b1fde1a972683e35233b3065923dc59ac148914fd788", + "sha256": "7e2427e1271c47e2206d2500d6b507a8491c55ebcaac896f7e8b299b69e9efc0", "type": "new_terms", - "version": 417 + "version": 418 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 103, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", "type": "query", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", - "type": "query", - "version": 106 } }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "020aa41dcdc659d6c9cf5c0619429e17fc67a4ed3a229e63c3e2aa82ca64dc59", + "sha256": "93ad1ad8beccc767fb9118b7b32be05c1f8ba7f4ce7dcdf94f85624d8d4a84fa", "type": "query", - "version": 206 + "version": 207 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2888,302 +1702,129 @@ "version": 2 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Linux SSH X11 Forwarding", - "sha256": "607bcf6166da9a0c07fa8208a598d656e9da82b719410a4b3861431a7ad23b41", - "type": "eql", - "version": 5 - } - }, "rule_name": "Linux SSH X11 Forwarding", - "sha256": "2b3d08f13e7043638c0bb3415d9ada4726d3dd2aa56b93a318ed3b135d0723d2", + "sha256": "9fcc6e6eea3618a03fca62772e89b82790e54f5f62797ee113a2d19c382258cc", "type": "eql", - "version": 106 + "version": 107 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", - "sha256": "842f9893108098c4b68db05cfdc942016d86cd6880aad8c93c94aca02133b0e5", + "sha256": "9c5fc44718257f07625e1166eb419c4395592908a49fcdbf935c53dc4e75d53d", "type": "eql", - "version": 9 + "version": 10 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "9ed50af9932a336e33eacff970ebcb3d99c94830b55744d32565828d68c683cc", + "sha256": "dfeb3736106927a156e733f7f8747a047c038f230a55845a58768a6369a5e3e2", "type": "query", - "version": 205 + "version": 206 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "ESXI Discovery via Grep", - "sha256": "0b220ddab575a1241b10575ba0fa022641bb5dd6d7b668a24f6e4e8e7795381c", - "type": "eql", - "version": 8 - } - }, "rule_name": "ESXI Discovery via Grep", - "sha256": "8a0b201a019a813afef3eb6ad8931c76409acb49bfb1000a7e441fab4f19f9ba", + "sha256": "a86c02c4a817d36c7f3ff829c30c9b2370f9fce7f238c332255c643a75ff2445", "type": "eql", - "version": 109 + "version": 110 + }, + "2bca4fcd-5228-4472-9071-148903a31057": { + "min_stack_version": "8.18", + "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", + "sha256": "4d122f8f1f96f8fdf14f1a97ffad03f52ff19104426377a900afe529cfdd2305", + "type": "machine_learning", + "version": 2 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Adobe Hijack Persistence", - "sha256": "c39267858935a1708b5485ab0f15d8fec3c65af74dda3eabe1a645357b6ff54c", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "Adobe Hijack Persistence", - "sha256": "5d4eda2322ee604b41b05b508100d15e3d8230cf544f5e9685b20c82c9957fc4", - "type": "eql", - "version": 315 - } - }, "rule_name": "Adobe Hijack Persistence", - "sha256": "e7b371bc3cb56880f4b66c8f8fe941a3dc804cf4d7a909203eb1aac36b2eb4e8", + "sha256": "a64a63c2b1334323d6b2e5f25a1c265e7193e3a0a8b8958c8f2d23ecb98b9664", "type": "eql", - "version": 415 + "version": 416 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "fda9500da0b3d309b22466c14a3b99bc7b486e029d19035500b51c712c4d337d", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "bd55b8a641caefe82fd1e124f00f3332b0b81d8efddbe594a1a73415c0a5d41f", - "type": "eql", - "version": 213 - } - }, "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "e69123e81346af8a6014260f65776c0326786a0019351371eba62067fb23d7e9", + "sha256": "7cc5ef0f9ed173efb3107f4a2d727fb9ff4254bad860feba370b71b53b424653", "type": "eql", - "version": 314 + "version": 315 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "19459360acfaabbee9191b0bffc67924d652582ec4b24d908ab43e31ed2baf8f", - "type": "eql", - "version": 111 - } - }, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "ed9cc4c9d37caa1424d72d1771b8aaa477eee67588db0cf67131757668706a64", + "sha256": "5c7d0e0e36a19f9093caf705980f02c2a0bb491c02eae447a065224943be8a7a", "type": "eql", - "version": 211 + "version": 212 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Potential Foxmail Exploitation", - "sha256": "fa4198db44ca8125dc5157ed58f08cb85ded4ed4fdd90a197bd108a4788e7bb9", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Potential Foxmail Exploitation", - "sha256": "3b3410ec8a78d817be6bc0002e08c1aecc291c587a8e5049c46ba2a0ffca42e8", - "type": "eql", - "version": 103 - } - }, "rule_name": "Potential Foxmail Exploitation", - "sha256": "91d807d619d392937f23f7570110f1a16024dea7638053710bbe2c380ba68794", + "sha256": "80cda71a2bc3a76c6e3bd1a8e70694b19e9a033a51f59971b957a4130f0623e5", "type": "eql", - "version": 204 + "version": 205 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "da7b8fc9196d2268f214a0e688fb4743c4aaac83e91d448cac7edb41ecb0cc4d", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "da8bbc8a8b7835679b590b3422fc6c384b3818f963248606c077e274ea185f00", - "type": "eql", - "version": 103 - } - }, "rule_name": "Command and Scripting Interpreter via Windows Scripts", - "sha256": "3ddbfa8f343a66c1a88ceece0f1578b6413e48d8e9866070c72412b45e29c6d3", + "sha256": "cec195ecb99306a72534d7e7521cfeb9a2d4d3acaa083686916d9bae57800dfd", "type": "eql", - "version": 203 + "version": 204 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "52c116a646055bd0157cedd2d9977b1582266b6dd9b8f6d1911d2e72232ae161", + "sha256": "86ce7698b8fad44f5c4b78c7b53765967337adaaf9f312162769ffa3b79d71fe", "type": "new_terms", - "version": 211 + "version": 212 }, "2dd480be-1263-4d9c-8672-172928f6789a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 310, - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "6f9f6d3a9b1c3c10ee6f372c529e3043cf57abbe70e819991e61b39bd48cfac8", - "type": "eql", - "version": 212 - } - }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "9f2195a1ff14af308fa971db89cf85114f85149da9fab3f43237cc3cbb0a5bd6", + "sha256": "46d6b6d760e911d091a01701ab201f63be69908c73dc9ab4e4e1ad481b9e4af8", "type": "eql", - "version": 312 + "version": 313 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "fc0687aaffa30b4402ffbb232a6609e8a832a677f70d6f87d826e0967cb6ae18", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "cd015724526c5fd95611fd542dcd3bf3ae7cf0f17b78feaf63025db570b62459", + "sha256": "23bf583e2feb9b8f6c9d4f35f66fdea61caa1a2d2a4d956dac12bd4ec9fac81d", "type": "eql", - "version": 105 + "version": 106 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "8df93c4d2e8d8e22dc9b2519c322833798fd0dd6e0179688ad46849263b97038", + "sha256": "d0306e64bd3c65aa39cb2bdb1e37e7fe5868d4696a607fb47a385807de1f2437", "type": "threshold", - "version": 208 + "version": 209 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "a2a8c353c9789286a12acad9ac5ef3f78e625e7f76155b7f8fabe49323aa8e5c", - "type": "eql", - "version": 11 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "8f884c1870437488658be0d2e627b6979914c5073df0908b2386a2d64a3b4140", - "type": "eql", - "version": 111 - } - }, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "8791e7fb1a6be5e42e542ffbff43107f655cb9129d6d372da900d9d185d90c16", + "sha256": "3c073b5495eaf66836bedcfc9f6b9758e15ac3bad1481fb4e861cc7f30d104ff", "type": "eql", - "version": 212 + "version": 213 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { - "min_stack_version": "8.14", "rule_name": "Potential File Transfer via Curl for Windows", - "sha256": "a4dac855d53d9474f8e5110cd803cc954889544153b5054d8a1d6efef103d335", + "sha256": "1a0d8ddadabbb539a3eae57bf46a5a60b45abda76d1427fe07e021979f1e8e68", "type": "eql", - "version": 2 + "version": 3 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "3f92ade9c8cf46297f9846194909bde8477311035bce84de538a59154fab0a08", - "type": "eql", - "version": 112 - } - }, "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "ba2643e57a281cd68d1f699d40aa824bffb36faa4b50d6ee43eafdc67fbf0942", + "sha256": "c483aec9d6625be8936a62423470fcf3a2d241d9336e4ce6c9ac94d0d6eccc96", "type": "eql", - "version": 212 + "version": 213 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Potential Process Injection via PowerShell", - "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", - "type": "query", - "version": 113 - } - }, "rule_name": "Potential Process Injection via PowerShell", - "sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855", + "sha256": "39d4db89355dbd775fddd6dc57a96818362c31fb4e07597a65a8163b54a78a04", "type": "query", - "version": 213 + "version": 214 }, "2e311539-cd88-4a85-a301-04f38795007c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Accessing Outlook Data Files", - "sha256": "e16b755ef96474eeeb8efab6ae108f1e9420b53cd1d79d3e822dc3215788f7a9", - "type": "eql", - "version": 6 - } - }, "rule_name": "Accessing Outlook Data Files", - "sha256": "37fe2693dac2a707118e828ab9b2e21018b8028366804f4304ff2122f53d546b", + "sha256": "4e82e1f564687491fbb83a31d5b4272b6603d40ff48e65f5f4fc5105fd02b939", "type": "eql", - "version": 106 + "version": 107 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "154a54c158e1072b12c8c12e5c0b1a4efd33eeb055cc0a97dfbce0af0e73dc48", - "type": "threshold", - "version": 2 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", - "type": "esql", - "version": 104 - }, "8.14": { - "max_allowable_version": 302, + "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", - "version": 204 + "version": 3 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", @@ -3198,27 +1839,10 @@ "version": 105 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "a3f55a20eb34eb9f050c14ebec723bf8910a29329d76e98fee0fa59c90d5d247", - "type": "eql", - "version": 211 - } - }, "rule_name": "Creation of a Hidden Local User Account", - "sha256": "19b7467f53896db1e8c5f00dde89e1ac429dc7e8125d433e5c4aac81a6f41de2", + "sha256": "e8f051eb44558952bcecc9d7f235bc5563b58b26164a33f5bb4dc036665c73d5", "type": "eql", - "version": 311 + "version": 312 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -3227,64 +1851,34 @@ "version": 101 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", - "type": "query", - "version": 112 - } - }, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8", + "sha256": "31de043d1cd732e775149b43ff26172cddeeb44322ec37ae942a99614571d860", "type": "query", - "version": 212 + "version": 213 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Attempt to Disable Syslog Service", - "sha256": "2ef044a4379ebf8587fd12c998257f558761c47509df7f0295893dd4bb6f34f3", - "type": "eql", - "version": 111 - } - }, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "64eabeec581d6804bbb7ed7f4fd9a7792413294be3c0f6b2045dd0e0fe5d0c09", + "sha256": "e31a51a76ed546320f82cecfb6bc198a5b3f344ef905f5e3c43bb6d580e4434c", "type": "eql", - "version": 212 + "version": 213 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", - "sha256": "6e7e3a5b5658ebe94a6acbd227efca852aa9553c7e58a257f13b2e46c357055c", + "sha256": "1822e615f8b6cd9ccba8226980aaa9ab83d1fea9eb0608c4e3a9ff7435b60ca7", "type": "eql", - "version": 4 + "version": 5 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "12a39f6d9969db63436c1a00acca99e9add307c1cd5027f78b8845251fab148b", + "sha256": "698a808aa15b4d66ec0a56d16de5a5f00fda54cf9ca1c4f9a175e4b733517850", "type": "eql", - "version": 110 + "version": 111 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 214, - "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b", - "type": "eql", - "version": 115 - } - }, "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "2fc498a71ba2f88f7d63796eca1ee83dbe34d62673590eba2f4b869845a5cb02", + "sha256": "abb4c0ba6ea880cff86b60e2e288188caa668081bf20b5e5374f836d00f755bb", "type": "eql", - "version": 215 + "version": 216 }, "301571f3-b316-4969-8dd0-7917410030d3": { "rule_name": "Malicious Remote File Creation", @@ -3294,43 +1888,33 @@ }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", - "sha256": "bdc8c042341275de2dda2fbb2cfe8352f8fef57e17ade3f9a6a0f4a2f34f6f7b", + "sha256": "25c92e02edc6460d9d39294cd07870fb0fa675e3e9236795739f4a4f58448699", "type": "query", - "version": 105 + "version": 106 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", - "sha256": "501b384fc62d0114e489f893db676c77a67a7de686ed549cc96d28110a216431", + "sha256": "01e2c613eb7762ef388bc29a3f3a695cb50dcd03396f14666bfac12c32bfe5ff", "type": "eql", - "version": 3 + "version": 4 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "087ddf9a38cc3a95ddd050c3af74a8205dcf16b78a267a1c40ecab0206895466", - "type": "eql", - "version": 9 - } - }, "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "9f0737cd4b53c31a9412db6fe279689258d74cd0462413dbf350f2a1f520f5b9", + "sha256": "8527bceb32594c7a8e2c45048b80bcd487f2a9b449979249a5f1b1c25666aebe", "type": "eql", - "version": 110 + "version": 111 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Network Connection via Sudo Binary", - "sha256": "a497b8c3ad9c185407effba08b476ec636ae48f34d72a78ebe4c33554301e425", + "sha256": "92eb37d8668e105e4d2a5f60201d8c19a8999000a35d6e5a2469d46be10d3da5", "type": "eql", - "version": 5 + "version": 6 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", - "sha256": "fde6148916cb146e840e4017c597cb865ed148dd9eb6ad32b27f527b18e30866", + "sha256": "75c2e730fe6fbeb39993a7c054f9a1f62de0d90a8c20e084d7fec9325988d738", "type": "new_terms", - "version": 4 + "version": 5 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Agent Spoofing - Mismatched Agent ID", @@ -3345,36 +1929,18 @@ "version": 105 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "26c302e48a82a4c71b95bbacfe998d079412e39f679f834e69fae5d875669849", - "type": "eql", - "version": 116 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "5421bd89d5aebebf2cfa8655a02e73854e34caf836d61a4b91097c5a5fd752a3", - "type": "eql", - "version": 216 - } - }, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "79da03cd16b3fe390ba1bcbf7210a4e75e1160924c4eaa555b1886746c2b8e38", + "sha256": "21e8b176aeca2f5406a84ae606b64ef503227027bb012cc0376fc618ca02b070", "type": "eql", - "version": 317 + "version": 318 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "5f12891f87725569f26f55d846990b172e4b083945291b524995a0c2b39d1f88", + "sha256": "444d517a9b5890ece56554bae1c80f9cf989ad9919bec40807644bc7a75cc310", "type": "query", - "version": 105 + "version": 106 }, "3216949c-9300-4c53-b57a-221e364c6457": { - "min_stack_version": "8.13", "rule_name": "Unusual High Word Policy Blocks Detected", "sha256": "fbc24d43876fb187d170bf7067f200bfc4a9dc9315138429cf73dd99f867b8ba", "type": "esql", @@ -3382,117 +1948,70 @@ }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", - "sha256": "81b1ef2dce9bdf05c543f720116a273b1b28f4fcc5f3f06993027b6c522d1613", + "sha256": "2b00decf4786b15edbdf57d3d658b8397508294d89ad09800efe40e426704568", "type": "eql", - "version": 5 + "version": 6 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", - "sha256": "4361eedfbd069e79f89dc6fc2cb69959fa012d9333bb12fa3a7a48bdc1956047", + "sha256": "6303595c0557d0a2c1bdcd100183e67f346f6a059754111fee987ef04b88628a", "type": "query", - "version": 103 + "version": 104 + }, + "3278313c-d6cd-4d49-aa24-644e1da6623c": { + "min_stack_version": "8.18", + "rule_name": "Spike in Group Application Assignment Change Events", + "sha256": "ba000a780422ecca33fc3d2bdebd7fd1b3946323c9364851babbfb05bff24798", + "type": "machine_learning", + "version": 2 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "4225710e2f58d4c9a39ab24e6e05d1553387f3bd659ccf97398b490b820df50b", + "sha256": "40394cd02ee515c711a63559e34482888bc90301304b81ea4859ebd9a3e41e56", "type": "query", - "version": 105 + "version": 106 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Program Files Directory Masquerading", - "sha256": "606536c8d6bfe0e947e3e259b6e852bc054d4d698047726f4d5c75b729bf55e1", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Program Files Directory Masquerading", - "sha256": "7a4d10f9a885c140e679ea9b1395f36c0013153e988bda9aadef3631ee490db6", - "type": "eql", - "version": 213 - } - }, "rule_name": "Program Files Directory Masquerading", - "sha256": "16bc5626deef5e54395b10b7f90e3c0e85fffdc658d81ccd2d12a5cc6e59d03d", + "sha256": "df4d87a09e053881953802fc4fa46fc877aa0ea0bf9e9bd6d3055809e5400c5e", "type": "eql", - "version": 314 + "version": 315 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Login from Rare Location", - "sha256": "c839af879a5c765f5e319641da93e5418ac234abdb825d1d9f1df9d746f9e2e2", + "sha256": "bb98118b040265c123acd9ad84f72cf6a6b78092bddfbd6533b62d45a1251b66", "type": "new_terms", - "version": 3 + "version": 4 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "0c5ba486bee0cc0f0fe8315f14137e5a0062539cbb92e1a748fe09f9371887c7", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 414, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "1aefbec4935b19811f4b8ec91466a3726ac0e9ceff35b20a76571ede0a753046", - "type": "eql", - "version": 316 - } - }, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "b1e1ffa2ffa385597f3e15523743b90d7750dbd78db3790213585db3f9c79dc3", + "sha256": "904cd102108c369a24d0887bc0220f55ff48e2e68d68f51e1a4ee5679700d72c", "type": "eql", - "version": 417 + "version": 418 }, "3302835b-0049-4004-a325-660b1fba1f67": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Directory Creation in /bin directory", - "sha256": "e2fc0d10f43934c5dfad79a4f0f2618e38c52f91e897b1fbbaeb75b7d2ae0749", - "type": "eql", - "version": 2 - } - }, "rule_name": "Directory Creation in /bin directory", - "sha256": "bb642177d5cb1e1bc0f9a0c4cf899a157c7980be76dc66f26d4ba3d13f82b8d6", + "sha256": "1d62a522fbd5243f9634294cee047e72f0bd7e8de2e2fc837d0c1c572c5befac", "type": "eql", - "version": 103 + "version": 104 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", - "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", + "sha256": "9fa9b45d5cf8e8949605d99781620724e2fd28010614f957236f1bb5a892191e", "type": "query", - "version": 209 + "version": 210 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "ESXI Discovery via Find", - "sha256": "e945a579fb2d4bdd868c12f606098cd96cd82197b76142880a5deab1ab401ab5", - "type": "eql", - "version": 8 - } - }, "rule_name": "ESXI Discovery via Find", - "sha256": "ca86b5108a30b8e67c15162b0055562e937ab308d0406d129bc9ad4e2148f2e4", + "sha256": "64016260db97fc0a24b5561d293f27efd91e7df8904220c828bcf982b77abcae", "type": "eql", - "version": 109 + "version": 110 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "2d6cac53a7d7baf61d489765382f2b2d431be53f846101569f7e49a35e59df98", + "sha256": "4e756d068c2e9ed120b6233fa877468317a79fd65872a1f792fe87d6f42be5ae", "type": "eql", - "version": 111 + "version": 112 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container", @@ -3501,103 +2020,58 @@ "version": 3 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 202, - "rule_name": "GitHub Repository Deleted", - "sha256": "bbc9f533b703f0f2a2aec221e6c184c662bae31b89b8e01b2a7483f00fdbb84b", - "type": "eql", - "version": 104 - } - }, "rule_name": "GitHub Repository Deleted", - "sha256": "680ea8566ca2b5e114053f331458450f3a9fdbdcda67246619a56e3304d7d4bb", + "sha256": "b80f79376c610ff0a430bb85a81b55a0fbe3592022a303dae37c4f86207c151a", "type": "eql", - "version": 204 + "version": 205 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", - "sha256": "0d6e63fdb711a79ed9a8236fbfa447b8dd9cd9c750fe206e4f69d544b4cb7127", + "sha256": "2c35b4656d6c97c22d756d3cb8f79accc845a543338bf1178f5ed55e04b74b62", "type": "new_terms", - "version": 2 + "version": 3 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "a93607d49470b41ab526136a54c50d0d65923b7af46008f570ecf780090ff342", + "sha256": "8ff391d94daf4bd23c44706255d1e099259a3ba708d20fb059968cc6f8debcdb", "type": "query", - "version": 107 + "version": 108 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "93108f6db43019bf85a026b0e1a0283d1387d43696c8cbff0338ade95de87373", + "sha256": "dedd9c3cbc7712d5c42aa18c39d957eac5a7efb2aa2ffcb1625b1a5edb5bd368", "type": "query", - "version": 107 + "version": 108 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 412, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "a5d70c0995622fa1e034a975d14f87929c6bb6032e2a8b710c5619638eeddef7", - "type": "eql", - "version": 313 - } - }, "rule_name": "Port Forwarding Rule Addition", - "sha256": "1cc79e2c4f68e45ffdf9e7e58a3a627ca8fd4f5577008f4af3b2e0cc353dcd19", + "sha256": "4926f98869b83eed0749fd03bb819041c163ce6d653825756280739284bbed15", "type": "eql", - "version": 413 + "version": 414 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "b78351582a7ddf68ad29828252540753accedab11361b21c3cb3cfdcd7ea6da0", + "sha256": "5745d4bdbaefb2afa5997ac4f1df178eb8383d50e4a025ed14b41e29ae0d50fd", "type": "machine_learning", - "version": 5 + "version": 6 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { - "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", "sha256": "3f28423faced2b8aa0493681362683f095c9464aa5ecb67465ac44f2694aefc3", "type": "esql", "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "d1997aecd63bdf78d6a33f57d17ebd466ad6d7b59bc5c9eec9d99fa339cc883b", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "a7bf02c5ce9115c129f0c257b37f8d3759ee1de5c93e961c678bc6ca1e5ac53e", - "type": "eql", - "version": 215 - } - }, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "63739523a9c101ce0f6304534a8a20f2b7177870efdfb4f8342beec9b6d01ca9", + "sha256": "27c29f3cb0b52ffb9e632f99d66f4afc5a8cb971f35e7b1a7c630bc3d4360ff2", "type": "eql", - "version": 316 + "version": 317 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "cb3f4e2e92eeffed4bd1250dcc2811b1e4ee69877e3d14a107578a5b0d10fe24", + "sha256": "8ecd1cc7d4711726c346fbf557911e258cb22ae5e2971c8f4e953919c319f8e9", "type": "machine_learning", - "version": 105 + "version": 106 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -3607,66 +2081,39 @@ }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", - "sha256": "f8a2d53db2c5e3651899228d2e535106845b0cdfa6f926feab75424975c566f9", + "sha256": "8602887b7551d8a25aac769e63eb91002a965a960bf39b3658b791a8d1cb5311", "type": "eql", - "version": 112 + "version": 113 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "e0de6aabadb9b3edc0355ae72df8fa446a91a842ef12b8ef6ec687e906c931f5", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "cd1475178a3952f625d34aa54ca62f9221babf15037db6ad279da8a14ec58ff7", - "type": "eql", - "version": 210 - } - }, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "3cfd44cb623fa5f87fb2bc4b70fb4825b8c30cc422f5ca4959f8affa6a59c239", + "sha256": "fde742d42b6efd6852acb5e55600159d3922c7b82f96441b7d26fb82374273c5", "type": "eql", - "version": 310 + "version": 311 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "0375f50891da2c560d538d9af682bf73815c0e8097191a66c4b7ad3d2d9f85a0", + "sha256": "c3120b0aa2240885dccc58b847aa1a13db940c88dabc5183736cbd25fb06db73", "type": "machine_learning", - "version": 5 + "version": 6 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Potential Suspicious File Edit", - "sha256": "85b4308a095fda0a1a41576379cf8ca6d2bcc3ddb4aaec2c851eb2c5f083e6f8", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Suspicious File Edit", - "sha256": "31e966ef88fd66e843c9134cfc92578f0c0ef1ff0b8af97d7c96049d2a31ef5b", + "sha256": "0b51a4557c5ac6047bb099ea94d918d2ba802827845c1ba5442d7c056200932f", "type": "eql", - "version": 107 + "version": 108 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", - "sha256": "2d9a2d2805620d5537bdc598986669726205be63bf72fd472e586860559f3c15", + "sha256": "abe985b06bbb9ae251f19288b5dfa7877ca05a5b85f24a149bf15db0b4beeb87", "type": "query", - "version": 207 + "version": 208 }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a", + "sha256": "5eb375d6c40080659d38aa82ca95b80a5c536af4fa63832ffa621e1257a5acd5", "type": "query", - "version": 105 + "version": 106 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -3676,90 +2123,80 @@ }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS SSM `SendCommand` Execution by Rare User", - "sha256": "713fd8c17945bb80c3b98f60f14f907c30c2a333641b4671b9a0c3ff0c5618f4", + "sha256": "9bcb7007cf0d02f708253ff438ac25c883112b179595c431b585e3664f9c75cc", "type": "new_terms", - "version": 211 + "version": 212 + }, + "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { + "min_stack_version": "8.18", + "rule_name": "Spike in User Account Management Events", + "sha256": "091759a8144570c26dfdc9e2febd37e94c5d592a9b45bbc33349cad978920517", + "type": "machine_learning", + "version": 2 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "07c83ef04668d1bdbd5e1cdf83b4d25f717a72d4984f78fbb7bf40d3c9973386", + "sha256": "500c4ed910e97f966b0f4dba87a44a420e274aed0bfad646cc413bac73a50b31", "type": "eql", - "version": 208 + "version": 209 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 309, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", - "type": "query", - "version": 312 } }, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "335b721089e14060d49efd5a24e91c1234579d86f289c8e2d55a68f139685424", + "sha256": "636b073c33a8c19e7b92d2026cdda3d90db816f843e47016d4b0c9c593a083d6", "type": "query", - "version": 412 + "version": 413 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 214, - "rule_name": "Network Connection via Certutil", - "sha256": "3f6234c8ab1d36fc0aee41b20d47c226fdddafbf988fd7a990edd1967bb6c123", - "type": "eql", - "version": 116 - } - }, "rule_name": "Network Connection via Certutil", - "sha256": "ee7de9f4e8ab3c5761b6312c919095c5cf492a9db5a0723c83799fc34b584f5e", + "sha256": "715df2c7bd21ee0b3136f9dcaf88ee3aa30f53332aaf8b2190d4f9a36a0c4698", "type": "eql", - "version": 216 + "version": 217 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "747ae073e6f03ec1932651971bc68d7027e59a836270303d10e85ed668e15563", + "sha256": "dfb5498fb2b706a6ca8e4cccca9cf7e6cfdd62dfdcefb194147656a2889138b4", "type": "eql", - "version": 210 + "version": 211 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations", - "sha256": "0300fec34ca31a5cea787eaded914a17bc72892cce35401a358a0cc6aa49fb1e", + "sha256": "2304d2d28c8f1c9879d7026dd1d98a702b7ae69d8bfdb09fa94f765121a081fe", "type": "threshold", - "version": 3 + "version": 4 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "c794cb33079d83fd0ff1a98396f73fc84073e6498982afb0f9bc08d82db37dea", + "sha256": "51d3872acf4e8e572b20302878124ce1a07f99c4356703a2f4765c0acaa1e284", "type": "query", - "version": 103 + "version": 104 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", - "sha256": "c3493126c9accd6f626f2aa40ab74be96a664b87ceabce37843cf4e29b8414bc", + "sha256": "bef99a1a751c871a18d6c1f07ff62240e2794509e8b48a88b7975b86c86d371c", "type": "eql", - "version": 3 + "version": 4 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "60c301aadbc57095fbb764f310effa2a4d569269d7b1baa6f08adde2b312328c", + "sha256": "999c9153b44458674251b88ead57fb6495c4925deff4464ab25f4b56c645edf2", "type": "query", - "version": 207 + "version": 208 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", - "sha256": "6c9bc695426f3a54fae927672294c7f2717d5cad3fcbfb5f08b482c14ca8939b", + "sha256": "147883e10ca4666bc9453f1dcf999d93504a2d613579832278c2d6b1b87748a5", "type": "eql", - "version": 4 + "version": 5 }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", @@ -3768,78 +2205,34 @@ "version": 4 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "b4336a223059e535a011019a1195afac85891381ddf49844a802db5e2b477d60", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 306, - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "6fea9ce2228537a8fdd8bed28be66ad7dda0b6cab23977c97c5c546f0d948fdd", - "type": "eql", - "version": 208 - } - }, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "e8b70f2aab1ae0ee6ed818eb7bb5e7feb7fb75ac124680f6f0e9e79ae7395e46", + "sha256": "747a1a51a252be37327bffad23b60b5d2dd56806a092cd30894aaf661dd149c0", "type": "eql", - "version": 308 + "version": 309 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", - "sha256": "e121d39bd55b1f521c46bde65369f4dc594bf36659e4f5ccc0716bc3a1179e46", + "sha256": "f71b843e0cf218181a39793c506cfacc6bbe43b0cae4d011387d17df40cf6489", "type": "eql", - "version": 4 + "version": 5 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "fc1b169b413a359de4934f4cdf8bca79458b0cd5efd1a93bba0b8a05aba10b7d", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "24c29c38a11dbe12d6e222a3d69e4c47f41ad46b16d07ca3a63daba9ca761f6d", - "type": "eql", - "version": 212 - } - }, "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "b6849461e18e497a4263083d82b749167b7e60058fe7cf9b90db792dfedbc744", + "sha256": "7bad6ed215a7f269e1c96acd6ce625ff7debff4b9de20ca2e0c862be2badbe6f", "type": "eql", - "version": 312 + "version": 313 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "e01f62982334437f828c2aa0c07b8867b2b9811b190a82c5b871d1f47226447d", + "sha256": "f61077a40c3f76617d26e5ab62884dd9a4a65522237373a4ddfb27f3f7c843b6", "type": "eql", - "version": 10 + "version": 11 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Rapid7 Threat Command CVEs Correlation", - "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", - "type": "threat_match", - "version": 3 - } - }, "rule_name": "Rapid7 Threat Command CVEs Correlation", - "sha256": "eea438035c9adcd9486112d776374a2097e248b2311e73e0feb0d239e6507a7c", + "sha256": "d52a2f733baae3d047d493f476d6e3a0046e77a6624d979ee53a86b84c5ec7ab", "type": "threat_match", - "version": 104 + "version": 105 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -3848,274 +2241,148 @@ "version": 100 }, "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { - "min_stack_version": "8.14", "rule_name": "WDAC Policy File by an Unusual Process", - "sha256": "640dfc022ddd5eeadf5bb3e60d197db1c475d8e6f2e672c0eb61b1c5390c98b8", + "sha256": "a1836e838685773055977731cbf37f922b1c621ae39a7deb6b5de0b8fa0c08dc", "type": "eql", - "version": 1 + "version": 2 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "32d8adf51c1b7880e73d4cdb4e6b9e4a748807c35a66aea5866abec659490bd6", + "sha256": "c3da64727ebbb6eb100c0f450ac54da7f9c271bcceb8944861f9a7cbd76f983d", "type": "query", - "version": 106 + "version": 107 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "136ba855c996285fe602c5a751d85e4d5597adabab876c0840fb892207d97fb7", + "sha256": "00e99b16e90e0481243974e38721a6c763a2eb79fc033ccc534dcc298749e9b2", "type": "query", - "version": 104 + "version": 105 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of IP Address For GitHub User", - "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of IP Address For GitHub User", - "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", + "sha256": "1264b7ccb835d3b7b117a0b019b5766b8ef088e9325e571dbb83c327eabbc721", "type": "new_terms", - "version": 204 + "version": 205 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "f47e578ad81a99ac6ee1bd6045dddbe2ded14cc8f273b02f0f64ab04824557de", + "sha256": "e1d1e24c41ffc15f2af27ca5bffcae7132edad1fef3f0ae1b8f21d8428eedda5", "type": "query", - "version": 104 + "version": 105 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "9bd527185ec4c38596e49c3a7ad276daa080ef3cf609a464de4f59e21fc1080d", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 412, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "fbe869ca88d432de9d48ffbb12ee20f5a623aed0aab53eba99bd3e08daf687e4", - "type": "eql", - "version": 314 - } - }, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "ae201f63b498ee9be3fb10b20daa1fefbe924dae1f8f7aecdfa986d172ae93e1", + "sha256": "fed55cc64747d28c377c068a1e5e34c38de8d120d07a075be739341a756199bb", "type": "eql", - "version": 414 + "version": 415 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "e7e2e6f51e3b146d38491ba00f4d5be16be218fd4df4c1722005f294e0748e60", - "type": "eql", - "version": 116 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "99608742b50911e3c5274d4ce68d799cf51f8ea8f82fb9244218fdf266a5cdbd", - "type": "eql", - "version": 216 - } - }, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "14fa291c0e479222e6175385f35702531994795946c66295ddec4f95b50845db", + "sha256": "4bae908c5a79fa32bd9121daafa8c84339d5bc3ada00d397b3f57c204b48b88d", "type": "eql", - "version": 317 + "version": 318 }, "3c216ace-2633-4911-9aac-b61d4dc320e8": { "rule_name": "SSH Authorized Keys File Deletion", - "sha256": "6a7e18a2fabb5285a089765d9d4c16de1592997eecb27bac79bf2be84bbd55d3", + "sha256": "a874e891f85cf777caa13cf5f487834bfbe3f4aec7b20bfa94f8355199410019", "type": "eql", - "version": 1 + "version": 2 }, "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { "rule_name": "AWS SNS Topic Created by Rare User", - "sha256": "c43f75e8638f5a0adbbaa3444549c88d148284a440eada3b2984073e0d6a5f24", + "sha256": "f4c1e27062195f25c391ca50e55165f2d469910345d8d3b59079bccf61c9c893", "type": "new_terms", - "version": 1 + "version": 2 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "c64036bdf9d9943178534e62dec4700829eb822cd497d08d1ac1d8f838d9d342", + "sha256": "11f9e258fca8b016bcc6e9d093bb216ce76b2e7e63a94029e9bd53c7ae53bcbf", "type": "machine_learning", - "version": 105 + "version": 106 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", - "sha256": "83cd6048f2f8d9427ced895179a1e5738b897021229fdedc39298f70b8fd527e", + "sha256": "ad00a1be909488985abecf7e45bb750e1bb8f509358a0f7115dcaa58f4541c78", "type": "eql", - "version": 3 + "version": 4 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Unusual Pkexec Execution", - "sha256": "39004fc8c21df3175d05b13e4a85cc34c55f385af7ce819312b04b1a4df1148c", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "Unusual Pkexec Execution", - "sha256": "72cce527b0f0efd2f300fcd93f1c0273b4fd5476d6771008722109e0923882a1", + "sha256": "2c019f5e4f614ae799830385754bea7fa60f424a28db6a1422fda653e175f054", "type": "new_terms", - "version": 103 + "version": 104 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "9a8b7d4f395146c067ba15784a025d26856d4595658268dfb01fcc8117120808", - "type": "eql", - "version": 5 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "a9449e758953000ec34ebacbf23f4b51f7f9a60c0a82c08b8aa837d7b750e77a", - "type": "eql", - "version": 104 - } - }, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "7537070f3775a1dff89d78c8ef5ae633d97e6cd0a32180d83b000540270ab29c", + "sha256": "3c2170023555c5da90f51d4a85ef15c775c752d630f969063b3f7f9307d1cb9e", "type": "eql", - "version": 205 + "version": 206 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", - "type": "query", - "version": 6 - } - }, "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb", + "sha256": "fc715139a0d138e7ea48cbfe56feda5769267d2ecd173a83c3461f87f8fb4fde", "type": "query", - "version": 208 + "version": 209 }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Email Subscription by Rare User", - "sha256": "751ec873aa2cdd759af5f845488173565785844485becbea7a597d5e5b5586bc", + "sha256": "ccb9ecb42f8c02bf5bc63795034c32402e71331da70efe089ca4834f6fceeb98", "type": "new_terms", - "version": 3 + "version": 4 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", - "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", + "sha256": "4e43bfa9122b5eb72b4794253ba71abf38c351158ad95c8c230608228385dc18", "type": "query", - "version": 209 + "version": 210 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "0c33ca9283c1c2552060c3b5000ec87d338048cd715f4e7be2d3fdefe8a28fc0", + "sha256": "224cc6433805fd2c3c57531603cb4dba7a52f6d1afcdc1fe9b263dab2fbe5214", "type": "machine_learning", - "version": 5 + "version": 6 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "179cea119143b4ac449008db8f5bce05e743da299c57ecb9c2599d4ad223cefe", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 206, - "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "89a4b41e934b13c0e79392e7730805f3e18c7d8cb6c3121b8b54b69a1aef8450", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "c7ce8b4413d99ed660c419bd822448ecdb2bb29f85095afc3954b5b698f0510e", + "sha256": "1c1d9f823070989ca3d40d8b4b612a930c6aed9df95cbe7e46e7f70293d17b52", "type": "eql", - "version": 208 + "version": 209 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", - "sha256": "383925a7469fa24f12272515f90f29aa907b908a1f8cec676765b5c5cc5155d3", + "sha256": "9623b7adf3b98086434947c34cf6bc971d698eec9d856b9e2e3ba07b870043a1", "type": "eql", - "version": 5 + "version": 6 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", - "sha256": "cc6f26cacff5fe4dacddeb8cb12eb8a140c4db55aed0d450c18d7175dab3f260", + "sha256": "e66456afa8b35058a74efb15de43268e0c91e60936eb36af937c5239634f93f6", "type": "eql", - "version": 109 + "version": 110 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "66d3c7048c18aeeae2d032d26dcdc294b41eb32679eb445839815f7fcf66e4a8", + "sha256": "d1b745a651a514bb39e3a6973ebcf1c64718df7830ddc738ba9817bc69ae052f", "type": "eql", - "version": 4 + "version": 5 }, "3e528511-7316-4a6e-83da-61b5f1c07fd4": { "rule_name": "Remote File Creation in World Writeable Directory", - "sha256": "36213518f2d51d0a8ca479b72244b5e7b65ac993cf744418fe69792d88c2f825", + "sha256": "43a9d616b35b1deac391a3d369df69a2a21404497b1bb14e26dc1a53876078c0", "type": "eql", - "version": 1 + "version": 2 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "abfd83fc5f72d9b12cc92cb190d7f4e9f759d7e1b048db54399447345f56c2f1", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "0b2a37b4cf28a7d2b8c35dd53c83291ceed82fe166e96bbe2678a2eb1c0b20f3", - "type": "eql", - "version": 213 - } - }, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "1468f7e6e831e3af972a832a3504553bafb48b5b69afdfa59403fbbc96d1ad85", + "sha256": "5d3d7dc34146f83a863fe7c55f8f1bc7d56a5e33b75e9d77562cf19b3bc7652e", "type": "eql", - "version": 314 + "version": 315 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 307, - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", - "type": "eql", - "version": 208 - } - }, "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "be4f79a2a38ca61332f643c365ce4e3776f3ff9a73f6887ef1aa6d67d5153a22", + "sha256": "7c73017e6b329010f74f02bd06521eb0b0ed985c0d56b65794fd126aaa8ee9fa", "type": "eql", - "version": 308 + "version": 309 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", @@ -4125,205 +2392,117 @@ }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "1a8ce0d911498f3340f7c6af2471615c1614881de45680175490600cd63fdad1", + "sha256": "45be023027bd57b9255faa87eaf79a9fb5567acab4a5b14551c9f3ef64f59692", "type": "query", - "version": 103 + "version": 104 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "1d1f416f81da795677d9450e9bca8918c099440231a9d8129ff100cca36e03c3", + "sha256": "c8050c8ee01c138b8d1d31e4e67f094b0f1f05df2ac073d4271dcac5a5037a57", "type": "eql", - "version": 8 + "version": 9 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "ac26f5075bc208ba1b094437f5908ca1879c9b0bd6c5ba6a85a2de0e3dee8f17", + "sha256": "d59511ea25b0421138c4852c5dc6a049c2005bbb3dd874b22bd73356c4a93a79", "type": "eql", - "version": 112 + "version": 113 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", - "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", + "sha256": "fe6627cf2f70956978fe5c9185b371a7f2ffed9843fbde9e265cfc1bee3d2d55", "type": "eql", - "version": 3 + "version": 4 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "19b368441d2d3df9e36cec3f78601af029ba7a4ad96080e8a8a260e0062e4014", + "sha256": "8ba665f334b7165f166230e61a2c2ddf9e8be409c290a43e50b08ac186fa606f", "type": "machine_learning", - "version": 5 + "version": 6 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { - "min_stack_version": "8.14", "rule_name": "Command Execution via ForFiles", - "sha256": "30f1410a357c558927f5cce5f2d9674c0e66b3fcd0ccdfed460da52ae466ff4a", + "sha256": "d6605b494092cc1a6bfe11ebf5dda27d447d29406e53d40ca97c42f68b2066f4", "type": "eql", - "version": 2 + "version": 3 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { - "min_stack_version": "8.13", "rule_name": "Azure Entra MFA TOTP Brute Force Attempts", "sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c", "type": "esql", "version": 2 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "fac0417f4ce9d3dd3a95c48c5bc2916286db6bc572c8a5e31160761ffae8cf56", - "type": "eql", - "version": 4 - } - }, "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "9720e2ceb0deb64ad3773f7fb220ced4722d2586e68fffe60616480b49faf4c5", + "sha256": "4dd7bf7ab6a2635b73d5ba1143c6c2456ae81e5df1f9c63bbfdb61c0a7082900", "type": "eql", - "version": 104 + "version": 105 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a User", - "sha256": "224877a0c6c75c03df527910da6a040b10e978b5277a900b3a5ebd606e5dcebc", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Unusual Process Spawned by a User", - "sha256": "c26260d1977bf5bdca1f886c44ec9eb78f3a2a3f006f7c578474c60debadf653", + "sha256": "fcd7c4ae47186abfb1c69e19a6282a77a8b85b66ba40f319e173bfc8601ae5ca", "type": "machine_learning", - "version": 108 + "version": 109 }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { - "min_stack_version": "8.13", "rule_name": "Potential Azure OpenAI Model Theft", - "sha256": "30578c829bb5b7d12461cb21a6ff53be883d722a8abb7fd76096995c7d54f268", + "sha256": "ef195d098178a2dc0f66928ae6cf38dbf7eb1d7d847a573cb7236fb5b7a157aa", "type": "esql", - "version": 1 + "version": 2 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "GitHub User Blocked From Organization", - "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", - "type": "eql", - "version": 104 - } - }, "rule_name": "GitHub User Blocked From Organization", - "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", + "sha256": "adfa045eb620ff2149793c19ef28a5159dbc6863684609b61e4b3033b25441e3", "type": "eql", - "version": 204 + "version": 205 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "f1c3d405ae61b94497a8a3b5ee7ad7b72dcadfec716c42f2975f6e18b624ec88", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "a73f4f5a3392e6fdcae94374c133aa55cd47a2a5f09dbd25ddec84a3f5d3f29f", - "type": "eql", - "version": 211 - } - }, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "5e43f778807201218a8a3cd2b8d33600b9cad394bf1d10a1a6a2bb8219170ffe", + "sha256": "443e468971099009defe943f52c3f094cd47db9ee6858147f4aa55a5852df2d2", "type": "eql", - "version": 311 + "version": 312 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", - "sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c", + "sha256": "f0d133f35bae4d0eca42ae34963c7af02c3203f4497b6bd6c6348e79e882f03b", "type": "new_terms", - "version": 108 + "version": 109 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Unix Socket Connection", - "sha256": "66104dc588552246b0806f00f248c812a63ff54ca038949740267b9b913b3ec0", - "type": "eql", - "version": 4 - } - }, "rule_name": "Unix Socket Connection", - "sha256": "2352b712067a95cbd788c45281d87669b418cd69b48f3cb97e10284c5d8b2777", + "sha256": "5e00ab9e5faf69b3d397b086a6288dfaab171336d9624359bad5d1c154c41a23", "type": "eql", - "version": 106 + "version": 107 }, "416697ae-e468-4093-a93d-59661fa619ec": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "78c5895b416222839fc4b6839d36612b1a0f0e27a9024d52f91607da235123e1", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "0f1715445403c50fbe30f1278c990d21dcd72f121bf8a03d91d63ff14c00a19d", - "type": "eql", - "version": 214 - } - }, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "311c4b3abd771bf6dbbf76f79d3b9fa882b6979c0298c1d842b6c8a780fa4117", + "sha256": "82cb328093e9d934161e638b4116a7be7eb6ed75b26cbef385901dd33f50beb8", "type": "eql", - "version": 315 + "version": 316 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of User-Agent For a GitHub User", - "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of User-Agent For a GitHub User", - "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", + "sha256": "5115d1328e7c1cad8d8f61e9737f4ba77d8f99c696ff5a2c77008045ab0793ec", "type": "new_terms", - "version": 204 + "version": 205 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", - "sha256": "f97c48740ffa8df05329c651c9620651fc36b543d6cdf582bec60f4945539c70", + "sha256": "bb47a186a7b2737b148006d3517c4eaac30b63cf92ce668687dd06dcc55c1f6b", "type": "query", - "version": 104 + "version": 105 }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { - "min_stack_version": "8.13", "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", - "sha256": "f5901faceadcddad30aa0d48e7489446e561374f349a4bacaf544f9c5c418f6c", + "sha256": "8e761cae475d2ad1f1ccab98b9c8dbcb1ba6a2ed51cd309d4481595eaf355106", "type": "esql", - "version": 4 + "version": 5 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "777ea9757b7d3052124e6cc8d8748e0f0b03cc82e8c82535853132c99389a688", + "sha256": "bad7f35f80c24449fd1d672b897f45f737dc2ef3015ef109afbe4ad885e9a82e", "type": "query", - "version": 107 + "version": 108 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "rule_name": "Deprecated - Mount Launched Inside a Privileged Container", @@ -4339,54 +2518,37 @@ }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Login via Unusual System User", - "sha256": "98d6ad1428c6a1aa6239bfa75936d88f18749d6fb33d148792889108ee6f792a", + "sha256": "1420e0204ed618ab159e076db635864980c6c67715ae408abfe2428d7a781d11", "type": "eql", - "version": 2 + "version": 3 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 310, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", "type": "threshold", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", - "type": "threshold", - "version": 313 } }, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "7de53603ee4b0fe24f98d5eac198e89c58e92243d6a6e67795968369a9fff2a3", + "sha256": "22be760b417fb1850285434c5ec09d39560a75cdd2146d8a1ded5ef5c4a56d40", "type": "threshold", - "version": 413 + "version": 414 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "Process Creation via Secondary Logon", - "sha256": "f79e046cbbec23da583f5a9a5ff0c2359af0a92b60efb6da01790d90fefb9cb9", - "type": "eql", - "version": 12 - } - }, "rule_name": "Process Creation via Secondary Logon", - "sha256": "0f366e14695fce4131d2de09a7d46f8a0d1e897bd78444ef5ed8bbce30a30770", + "sha256": "6aeffa394b038e35cf613ccbd2f6b10d79664062acd3e3de4db7fa16a771d1c1", "type": "eql", - "version": 112 + "version": 113 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", - "sha256": "eb323bc47a138a26bc5bcd92f8c25da588ca83b5b8dd6a8e7203111d13961caa", + "sha256": "1d33b43f6c576bad7e11ae2aba3109cf1e7c811b7704ca80a5425cc45e67de44", "type": "machine_learning", - "version": 105 + "version": 106 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -4395,199 +2557,88 @@ "version": 101 }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Linux User Added to Privileged Group", - "sha256": "9ea5cc7a7d60adf681ee39ab6a1c142f5864ce9d989756808a78d1d00b5e0a1f", - "type": "eql", - "version": 9 - } - }, "rule_name": "Linux User Added to Privileged Group", - "sha256": "dfd9d0ca4de23654268f056431b3427be368d9c063d5991111ed78363645dc4f", + "sha256": "65b93d1da578950c21d962ac5cb37219d48010477035589bb3066abe7ca75197", "type": "eql", - "version": 110 + "version": 111 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "3093b3093e9dfac5593dd9dead91b15345100e95d1bca816d602302c4ad03332", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "83e9d41fa1688f6e43f49b8f90e227adc1faa9a2cac3db9e262c7d452e68bc6e", - "type": "eql", - "version": 212 - } - }, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "c0608c95611f1a89e093cb3a0b2080c46a012ec91358883418506af1cd874eb3", + "sha256": "784d8fb4b9098b300294e7a4a4cb53f3157509f32b91d8ed073071cd13d2bc69", "type": "eql", - "version": 312 + "version": 313 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Unusual Windows Path Activity", - "sha256": "67bd807b50763f06dc6861bd1b4a7ad996afbb5766a7dc22bec1762999b6b281", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual Windows Path Activity", - "sha256": "0c67162e07a41a693f97af4942752d9557c76b058a4fa0df6be8777647152a80", + "sha256": "ebd6ec623104bfeae184c449cfc13dedcd496c3720d40df04259cff4d7b1956b", "type": "machine_learning", - "version": 208 + "version": 209 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", - "sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5", + "sha256": "1acb02fcb35cff7d642b71057b912bb57e7f59e873a7edcd393c5e49dfe62511", "type": "eql", - "version": 4 + "version": 5 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 110, - "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "4ed1c92271f971ccdfb787166f5469edc64084f2b7ec98c1c9f03fa7103e1f23", - "type": "eql", - "version": 13 - } - }, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "d952fa6126823aa4795c6d47b481559663ee4641dff520e86f387180decc8a2b", + "sha256": "1b069620aa666c3998bacdf9ca0c7ca1f43e820531a625fbe8b6195d1f9b2241", "type": "eql", - "version": 113 + "version": 114 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "Route53 Resolver Query Log Configuration Deleted", - "sha256": "bca21aeb358e7719e930c2792a3c5b1b899b86341952c8e0acf0f7a4fa84d36b", + "sha256": "7f33a0d542dd4ea020b90ea0f18712b660bcbff8fc9c9ba59aad8da683734c5b", "type": "query", - "version": 3 + "version": 4 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "bc6f767d4be0de3156f54c606bcf218fc712696406e84ecd976a907d90c156bb", + "sha256": "a9591128215a5ec0b9ebce85a74cbb8d346e601ad9c1a77447b066f0d77cee20", "type": "query", - "version": 104 + "version": 105 }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", - "sha256": "ed499f9d7399c1be4f54417888b74be031a5b50a48b1d7c68b8caf33c4e24d44", + "sha256": "b2d760325f5d50c1a4eb1d8475f35e11755540be43e31cd4c1c1ada9c9c50098", "type": "eql", - "version": 3 + "version": 4 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Windows Event Logs Cleared", - "sha256": "03df4c9ba83974ad56a692f1e48ad01c5afbc399f016252d9a8f5d25442ad9c5", - "type": "query", - "version": 112 - } - }, "rule_name": "Windows Event Logs Cleared", - "sha256": "b2877be463d6d3476c7945fcff9d4b10cbba5ff4847f04b747a59dad96a73e1b", + "sha256": "dd27d9d9d413267dbdea56e05ca06437f65c4fe198bfefb0d5afe45a4015bd17", "type": "query", - "version": 212 + "version": 213 }, "45d273fb-1dca-457d-9855-bcb302180c21": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060", - "type": "eql", - "version": 113 - } - }, "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "6389d9780340aa3eba76379358bc68062f775f8c23b81e15d7be509e7fcc87b2", + "sha256": "edac65e6cd180125cc58c6f5ff6acf34538b971794289e520347777c94231755", "type": "eql", - "version": 214 + "version": 215 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "500d6f2d6faa250fea7e87e78ccb4ffc1ac323562a22fb542e4733f33c5e1d59", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "2283343e54f8b80901fdb4a190d1faa1cf29da2306750a4c22671e80269315d3", - "type": "eql", - "version": 215 - } - }, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "d1654db54f8a2c7e763a7c7d1fb20d71cf19355115ae479352db7b977682a0a7", + "sha256": "a1ef085183ddd7c3815f34aa5bf84ec03b2af32fccb8e1bd6d2c17d48f4244ea", "type": "eql", - "version": 316 + "version": 317 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "9738558986f5eefce14d8f415a984acc7980e6eaf9211b61fbccbcf8814b2e06", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "571e3e39632376096348e94fd2d4b9cd15f049eaae21f99650d562ec0140e695", - "type": "eql", - "version": 212 - } - }, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "cbae5504e94c8d135be970e202b61d75493807ca03a926f3422e7f3913e1bddd", + "sha256": "070a88e75e87679e11cb262cf7a4e5b87b8e97a5a0180ef265f702a3cfc6cfd6", "type": "eql", - "version": 313 + "version": 314 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "6cefd4c22a36577834d4d834fc5c1929fed830cef4703c1df262425f4f6b2cbb", + "sha256": "4b345163c8996a76d03058794c9c829cd969f3a8926fb0d02c1d9aa9b80b7af8", "type": "machine_learning", - "version": 106 + "version": 107 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 112, - "rule_name": "System V Init Script Created", - "sha256": "c38ce796006c8f39b82f0922d30cc71ddfbe8de3d7e7fa13c58947169f07dab2", - "type": "eql", - "version": 14 - } - }, "rule_name": "System V Init Script Created", - "sha256": "f1873f6d75f651d8a741c68aeb9b215cc2750c45bc137afd9a6110af092219a1", + "sha256": "524a7a6b89aa23e7e3b2dc3fabaf8d004d6704c16e042a80eec36bca2942e540", "type": "eql", - "version": 115 + "version": 116 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Deprecated - Sensitive Files Compression Inside A Container", @@ -4596,36 +2647,16 @@ "version": 4 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "725b79909f3f199afec5b728eac38e0b2be9545c1c9fb3963576649af48a2e7a", - "type": "eql", - "version": 3 - } - }, "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "eb912e24c46ec2f35d9be99c411eb107c6f6cd1ad27b962d4130668320e98388", + "sha256": "8abcf2f4cbb9068f2541e2248bcc6ad69f0524b008125979ccbd728203e1ddab", "type": "eql", - "version": 104 + "version": 105 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "1715a0e265def59183c4652ae4742b17cc3578a5d1132831b499ce28f0c7c4a2", - "type": "eql", - "version": 112 - } - }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "4fc3777d4378758cdba6f0626f707192e45e0bb4eabaa43407e35f914e7d6dcb", + "sha256": "079823798d75ae57671ea3b9890d247bb4e458b0bda3977bcdd310cd35c6433c", "type": "eql", - "version": 213 + "version": 214 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -4635,78 +2666,51 @@ }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "c9df6be08711e9bd55271efaeed40617ea3dc66efb5a3c472e11ee4b7dffe73b", + "sha256": "bdd7ab476c31706f5785527f8be2fb5a0ef408b989228441b1dd7f6922858ca7", "type": "eql", - "version": 109 + "version": 110 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "60cb1aafa8d037f564143057fa316c87b326346f698ec418f9301fe073ccfc7c", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "b3690c2cb340baf77c176fc9260e8a138d3d86d5be1255fea5db6edd29d029c5", - "type": "eql", - "version": 212 - } - }, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "5be642a84f9f578e4f7ca280227774f6649786fd9f505fd832b741d7e28a6005", + "sha256": "dd671118de91a42c3ecf154d7bada232eba41d2cf55a51bf7487824b33756920", "type": "eql", - "version": 313 + "version": 314 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", - "sha256": "a396e648dc8058d8a7af3f97d34c5784cc2e81b5a1e4616f31edc818a101ddc9", + "sha256": "a212ea59580afc614603150cba5a6a7460981bfd811e9b65304fe3aab8199c1c", "type": "new_terms", - "version": 108 + "version": 109 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", - "sha256": "60acdaeb7bdfa3879ac2b58f7e1f303bc1cb6ead52bc7e45ad1bd340aacd352a", + "sha256": "42071b823313deee2ce5961c0fd8d6d88d9ca7c85ef65a77e5edfc3c33dcf8f7", "type": "eql", - "version": 11 + "version": 12 }, "48b6edfc-079d-4907-b43c-baffa243270d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "d3b2f8128fcad0de701a9aa48b9d8f5259837ff59505a81935bc2e5b6d3f3c38", - "type": "eql", - "version": 12 - } - }, "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "d2585f969107cc9ae78709ef7ed7d0086a142fd32b9378b3306633fb87466cc5", + "sha256": "c2b9660463cc7a32915e83a4c3554113d485167b13e404524e55b79f4cddd219", "type": "eql", - "version": 112 + "version": 113 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "52f6b93c3cc0d5c1fb4f6e6db6ed931e29c49ee0e908a1561e09af98dba2acad", + "sha256": "0e717fe5521cb9c151bb4753596913972dffded766ae5b985c5f828424ecea12", "type": "eql", - "version": 109 + "version": 110 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "070bc3d77b85c97628a5f7626bba0e95d76cf34954f5db82e4abbdd323126b88", + "sha256": "69eb97cebe9865e58affc58241a7ac807567a883ece049d07cafeca1395f04e8", "type": "query", - "version": 107 + "version": 108 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", - "sha256": "986c22f239fcc3d437e58dcb98df458a9d9435c5f561c9da3628425f6dcd591f", + "sha256": "ab04343de1c1ec9e086a1b917b5cb4afaf0e60d3bb6255eeb6af90ab1da38d46", "type": "eql", - "version": 4 + "version": 5 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", @@ -4715,26 +2719,16 @@ "version": 103 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "e9fba7cb50d7c0edfe213e52665e64b9fbaf596bbc274d66c2677a16b6524e00", - "type": "eql", - "version": 9 - } - }, "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "691cfec23b704e2589edfb62980284fec4ac438776a1a88edb7605ee5e54698f", + "sha256": "4bb38735510e072973f80b2ca4d6101720a709bb1ffcf1af8a96b7572f319493", "type": "eql", - "version": 110 + "version": 111 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", - "sha256": "fa0763bb909c5faa492f63ddf49e52ad217b2ba6495e1ea1f66636550d76c562", + "sha256": "5561c06a696c8f3318d406b0fd1838e90f58d30bf0e6606e83d6e53a9adf7fa6", "type": "query", - "version": 107 + "version": 108 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", @@ -4743,20 +2737,10 @@ "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "d6a6479c0c7905bb1f2dd6b93ad2e973b02944bfa46b720e228d49bb15ccb7ec", - "type": "eql", - "version": 7 - } - }, "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "c6d9fdb39c7405bc9de7c5d374c70044f34ef32a788ca37046a79a6db321127f", + "sha256": "52836212a2d260da0677a7941299da36be98664e8fd37fa50e4230f74cb50bf2", "type": "eql", - "version": 108 + "version": 109 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -4765,20 +2749,10 @@ "version": 107 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "2bfb9d1c293185db7cebfaf6649ecce4d26ca6bd6e8f6fb252e811960272d4e7", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "6496b33df954b86a762df6202f068d413cf231e273ca8e1a2c0ceefa6e1d127a", + "sha256": "ebf57027560846533faa68621192dac9c60f890116b7ad0d1ad78daf713b2875", "type": "eql", - "version": 107 + "version": 108 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -4793,27 +2767,10 @@ "version": 6 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "5f73d21d945760cc5f0e2e9e4f3a20183956cd20ac5963505a49fc7c29dd290a", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "71f49bcedcd05061a38576f6d9093f3b6b397fb89b780ddaeeb881c146979a84", - "type": "eql", - "version": 212 - } - }, "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "b8fb9ee22e08968e0dc38a4a7821aa9e0f623a492d275bc8d7f3e825532b5f56", + "sha256": "386add74e2146d577e03569d8987736a4299bf5d4c358a932efc23eec21014bd", "type": "eql", - "version": 313 + "version": 314 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "rule_name": "Deprecated - Container Workload Protection", @@ -4822,439 +2779,222 @@ "version": 6 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "ProxyChains Activity", - "sha256": "6d2bb84fbddf0c3a063f3b83fe3182017edbe19020c1e1dafc558ec07a767a0b", - "type": "eql", - "version": 5 - } - }, "rule_name": "ProxyChains Activity", - "sha256": "3ddce01b59f5987dd1a83755af79e6e993de5f67f97b960b4b2b544be9e1609a", + "sha256": "ffa6fa721bd64651471693bcf4bd16054a021f5461e6bd90dead56cf5c1cd47b", "type": "eql", - "version": 106 + "version": 107 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "ed51342a669aca3acd05b70564dd2b6c9e0ff02f83266d5665ef6dca3851a6c7", + "sha256": "2bd70accd4d5dcbe74e67bd4c2462eba40ce971a6bb287bab60d4054aedd6dd4", "type": "machine_learning", - "version": 5 + "version": 6 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "c6c357f72dda9ad192ec0f1297502bd068bf0cbdcc97ab58e49d86e7cfdde988", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "57c2b49691db8ebbed599f9985cf9d43545ea46a7e458dd4a28bd20f0f0476ca", - "type": "eql", - "version": 210 - } - }, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "724c9eb77e876a0609dca7f377c3b888ee71c8ace7316e67235b6399e7dde6d3", + "sha256": "d11a204b74fdeb2c1247d5b56f17147dd8b65fc830c6ccd2715a57215d1abccf", "type": "eql", - "version": 311 + "version": 312 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", - "sha256": "1563951eaa26040f25dcd3eae36d9f46c9bdcf45a6f24398ce7a7fc4382da092", + "sha256": "5691873471287afa74cc80848bf008c5f62470086d5e8b5f31746e21b806bb95", "type": "new_terms", - "version": 2 + "version": 3 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 110, - "rule_name": "PowerShell Share Enumeration Script", - "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", - "type": "query", - "version": 11 - } - }, "rule_name": "PowerShell Share Enumeration Script", - "sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c", + "sha256": "f3a3135a57c36b042393cf11de9420fa0c8118bd72805fc7469ed06a0c922881", "type": "query", - "version": 111 + "version": 112 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "d477a1c1cf4b80c1c4b058813b66f4952e183bd224d21bd44d145c7845ff027f", - "type": "eql", - "version": 8 - } - }, "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "f8166b3c126f6350077c04381eff45f180452c93b70be54c18aa91ff15e512f0", + "sha256": "7da8da26b9ff5d2e6fc21fbf81654955d50f12b01b084b8ed317b600da4101b9", "type": "eql", - "version": 109 + "version": 110 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "189ef68f8b1654ea9486b7831d9a69f4b42554453426d0d7531fe7052cd96756", + "sha256": "08df10789587218a9f2aaa17d90301d660b50ac0d5a84b7d60a1348e55cbe808", "type": "threshold", - "version": 208 + "version": 209 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "37d2ef8b050dfdece62cbbe06bc676f8199d5b4f1fddca44de9748f463a2ad80", + "sha256": "29454dcdf27a357a88b873870c65a2c94b03aef69fdb14d77eb939cef445a7f8", "type": "query", - "version": 107 + "version": 108 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "214f871b4ac72ba8d644b997c7991d4b88cfc32320409761af37fcb8717ce0a7", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "d6cd69282faee07d4379290d7a9b450bf5743e257e64562c47f8cb180ad3e5f4", - "type": "eql", - "version": 214 - } - }, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "449e14f8848eac71399cc23c1b6669e220569f25f071fa022f970e5fc8a87f9b", + "sha256": "090f8ba9167ae24b14a27c89a8ef99cd86f74387f9270ef155af4fcb980f5d37", "type": "eql", - "version": 315 + "version": 316 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 110, - "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "a850bf83897d0291d578f2f0ac69c11ed4288d5da688c63475e863bfc7edebc4", - "type": "eql", - "version": 13 - } - }, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "751b70e5b7717328b4dd47712a45f968eae280094169a92ef83343b306e70e8d", + "sha256": "e7ff7a8a0e59652a631264155562ad526ef971582fb47d794a0907199a888a41", "type": "eql", - "version": 113 + "version": 114 }, "4ec47004-b34a-42e6-8003-376a123ea447": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "26c209b252768d129ab5bccfb4006456a5cd64d7ed097dd81d513beb333d8d7e", - "type": "eql", - "version": 11 - } - }, "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "f680d6c8ee7249b89249a6710ce30801b2c982cef68f015538d7cfac8430cc94", + "sha256": "c5d36bfd31370e17a590a916f51a4a55c0550b4e9dc766e216fc12993232c344", "type": "eql", - "version": 111 + "version": 112 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "706691106e2a013f1cf173681567fcb4f84c44db8406ee24fd96b866d5d17888", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "dbce5c4fe73c141fb1017f8304b12ad1eef85b8956b21b7d8ab9fe9470bdf390", - "type": "eql", - "version": 213 - } - }, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "2f2d1d989113eef4a198eec72d1cba340c3aa89886d5461b653e7969b9e4a186", + "sha256": "1e4f1735ab4a70a1a0817b7ac51448230e1fccec9211edb8c0b7957abeb6f7d2", "type": "eql", - "version": 314 + "version": 315 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Suspicious Script Object Execution", - "sha256": "d03461949ea02ae5d1a9afa32408fcc350c90751725cecedddb19bc153f58ba7", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious Script Object Execution", - "sha256": "21d6ca38910e536e9886d360bd1cfe63932e9d4036a7d6a26af4708806dfecdb", + "sha256": "1a29bbc93779eefb34ed6e026c3928e826b5f0ac9e404e23d1ca778371a3b88b", "type": "eql", - "version": 210 + "version": 211 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", - "type": "query", - "version": 311 } }, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "d92cb4bcc5aadaea4dc0e6b7b35a1bf6e2ae910fa754432faf4dfb96696001be", + "sha256": "dc8996879685c3c43a62287b6e47c81fb0bc3241554b7c380368925cb609383d", "type": "query", - "version": 411 + "version": 412 }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", - "sha256": "30f4f5ada6d77e11118ecf139bb7106bc0df3031341b3e5ce0f55fd20221aa09", + "sha256": "0b30fb21731d03c1fbb827c9416b5162cc24f48977c7cc10bfb8bbcf13e2b103", "type": "eql", - "version": 3 + "version": 4 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { - "min_stack_version": "8.13", "rule_name": "Unusual High Confidence Content Filter Blocks Detected", "sha256": "c2e729e23f37d687504d5c86cb91f01a1d9363cd489f06a54723e557f02903cd", "type": "esql", "version": 6 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "9ff2cb9dd5ea847ba0e865edd15a145b5015f7bfd5601d9a07a3ad7c4aa13b0c", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "b2c9ec4c6421a7af0b6c97d70741ef5f1274b2a973dde460f3469cb59b8a37d4", - "type": "eql", - "version": 214 - } - }, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "43a1d4bda6d39e5c7941b832e24b922e10f38531c3c5d2b9b8f55bdfe0b0d99d", + "sha256": "6ad4010549a9af6f6b221c82950fc589c1ef6241ae9b5e6dbb3b62c28f6d5136", "type": "eql", - "version": 315 + "version": 316 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 104, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", "type": "threshold", "version": 6 - }, - "8.14": { - "max_allowable_version": 205, - "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", - "type": "threshold", - "version": 107 } }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "6a554290e7a84ccbd18f8a19971e557ac7a9838d92308436ae1252d215f09d94", + "sha256": "a3263a5442429acc1b25a37202e64af66da5b895678d0e645779808cd2f8d5c7", "type": "threshold", - "version": 207 + "version": 208 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", - "sha256": "16bcc4e20cbecdeda51970a7c080df121c8c49778592fd2b3384519d93b21280", + "sha256": "d16dc8e4c8ac6bac3e9973abcd5a929f647f8d3f83cc71107759bd160f2a5b9b", "type": "new_terms", - "version": 2 + "version": 3 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Windows System Information Discovery", - "sha256": "17e4aea652e17a149717afe81d8d917e26f0dbd3d4cad9923c0e7cb71eac92e7", - "type": "eql", - "version": 9 - } - }, "rule_name": "Windows System Information Discovery", - "sha256": "3fbcb0954df0fd52c7091bdf8c13448b46dcbafa7fd29d10fba35297879b48f5", + "sha256": "cc07c6ef87665b278c50634e18c2631b46e175dd4c6fc3475082429e14f6d124", "type": "eql", - "version": 109 + "version": 110 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "48ab779e161fbd3bfc978ec8def0e6511023cebad2f6c5874cc71cd14d2da1d4", - "type": "eql", - "version": 4 - } - }, "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "b33bbf177156fd682cccd98b3b5e214c494c17ac29770c3ef6e211cd2b8f26f9", + "sha256": "73f72593911a824bf9f474a0fe78b775e7b80bf0a99d3ce3921fc928d1710b49", "type": "eql", - "version": 105 + "version": 106 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "13b9667f77ece11fa75c760717a7f1a7474e6cf3583c6d428b0b835bbb79c161", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 411, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "4605f205b084980b9052a6f82ff9ace18abaddddba5a0901b25ee42d0a048865", - "type": "eql", - "version": 313 - } - }, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "a122de466303b9918efe6f15d1a658addad361829c6bf7d515d823a75eb19a2f", + "sha256": "cce173ee31cf29971ae004c1c2afe25f410d68f58daa4be714fd8463d7b3a2d3", "type": "eql", - "version": 413 + "version": 414 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "f5a4de0b0ac06eb1a69c2cb23b7f9d7b884a576168db1d956ef9ff6144c5756d", + "sha256": "0d7760dfac795b398712304dee6bca9ac497932b8b85592b9692ddfad6d4348f", "type": "query", - "version": 207 + "version": 208 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "5d8877660ac02415a7e931d15a718cadb7de72da25f5bcdc79d9fd493d4c71f5", + "sha256": "9100e2b7e720077aafa045787767ab56b8df11bd6bf78cfeb93f9780ac195e0d", "type": "query", - "version": 105 + "version": 106 }, "5188c68e-d3de-4e96-994d-9e242269446f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Service DACL Modification via sc.exe", - "sha256": "0103f881f5ee4e7c9d82ed15157325d5b5a58d4e397d6367d4da02bbf8ce0034", - "type": "eql", - "version": 4 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Service DACL Modification via sc.exe", - "sha256": "f3deede5cd5976b88fba9f4fe5814c558ca142f46001382dd888e8f1294a9892", - "type": "eql", - "version": 104 - } - }, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "2196b597b084d5ecbb13b0b17492f36f5b84dcca3a09a280a2e2d59035ac22bb", + "sha256": "a704511861e0b96e95a8ef19eb8787d4bc4dcf4fe88beed50ea5b73834b70f9c", "type": "eql", - "version": 205 + "version": 206 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", - "sha256": "097a5bc6720f07acfae2d20f11d9a717f1fe350cf94d7145adaa481146c184df", + "sha256": "7fd1d088c98825fcbd437ab2f437e5a12fa4d65c5d05609bf6bca73ce55d526a", "type": "query", - "version": 3 + "version": 4 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "341be9c43bad17537b54fdc7f40f8c156c772443e30caf8193c825ef8ae6e632", - "type": "eql", - "version": 109 - } - }, "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "98bc7f7c240e76cd9d3ecb1a5633fb0d68e571ceffa5569f91e5702c53b02d8f", + "sha256": "2a69c016995d4b395c45c843d21e4396954c619921a53482e5455aae0cbbdb06", "type": "eql", - "version": 209 + "version": 210 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "1e7bfe4a829855d26e56d29a29a24edf68130b67fb19c38c807680c99f335d69", + "sha256": "0e83a8899c7d67a1fdc5d6be2ad72adfedc9bc0a89ea04e43a6033fbbe5f76cf", "type": "eql", - "version": 8 + "version": 9 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "0d18d9439a5628f8f0339e9c968f779926c27addbf3835666f0b4312115511b5", + "sha256": "7ca243725bca36442b6c11d7e4dd0d81b7d4f4e5efd57b7af6697e61a7b244af", "type": "query", - "version": 207 + "version": 208 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "d68914fa075b88195665f82a00fa3b28e4743eed50f9e3588de8c565793841b1", + "sha256": "8d440a86669314004ff9a3b54eb5e457dff1c8755d55be05f468ecd140381235", "type": "eql", - "version": 115 + "version": 116 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", - "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", + "sha256": "35a5484211da8f0687e9ff7a68f965172d10f4b121efc657a523ce0e9b3a1bff", "type": "eql", - "version": 1 + "version": 2 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", - "type": "eql", - "version": 109 - } - }, "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "6a3129bcebcc413938e081a72c565ac7e9a135830fc1c5c11e4c24f98d29c734", + "sha256": "d26c79e581e6b7c97bc9a3bfdd9eb71f2be54aefa50763b665dc26e578ceb752", "type": "eql", - "version": 209 + "version": 210 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "7705ae36b0bdaf932acba46ebafffb17e3e085213212f44314d4bcc79090bb04", + "sha256": "747f7b15c1d2c688515d08554956a34927700435bc64256160920b8f4418d82a", "type": "machine_learning", - "version": 105 + "version": 106 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -5270,378 +3010,193 @@ }, "530178da-92ea-43ce-94c2-8877a826783d": { "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "a4364fe5d4b4e0e056536d4580cf884b56e49248ee1f3a84812426da1bcaf590", + "sha256": "4da91c0f9c410b7faed2c4bf521d6285907973f7ac07daec0e6d871d69199e4d", "type": "eql", - "version": 108 + "version": 109 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "dda8b86ee8d2dcee8026d296c9e5f313eaa3dc3d50eedfd6ae6e19c938486a92", + "sha256": "8f420db22da434ead75707fa86f3a228b1fbaa644dc99ddbf57fae4e754ed3fb", "type": "new_terms", - "version": 12 + "version": 13 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "e6c6dd49909f5672bab0d1d27d7ea1b5661d81198a9568926b30ca91064fbe16", + "sha256": "d1877077ebba4a061cf00dc8878e2c5faa1ead39b54c92750b2d172638ec5bc5", "type": "query", - "version": 207 + "version": 208 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "8227f6204aca346ad00f70681a540b2e14358f63b3415da0a722d3fe8c4bf796", + "sha256": "523bbd1fd0da8e73b2c3a2e7dafd4f50ffdd1996d8e853acf73e377a13db25bf", "type": "query", - "version": 103 + "version": 104 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "9eafe3af498b5f504346bcbb44ddacf2157ebf9f7dc56a66e0f6512ccbcaa61e", + "sha256": "c38050081677e1fef12cf5e4891774268c9f3bab0b6eec41fbc9addcc3f8ad0d", "type": "query", - "version": 7 + "version": 8 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "33313501aab3ebd4c97177b9d2f9462691e4c62a10efc4c19fc3417517abfbcf", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "c1564d323c28e030be7c14bef921f65cc3c1eaa43178ee7dae1db64c56d0f89b", - "type": "eql", - "version": 213 - } - }, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "dae0c8a08f768305b1aa9ad113a02db0438a7c0d22a4aa8088f1a3568300c6a6", + "sha256": "989d656af2a7cae0a5c40f18a8ef7c375a3ab38c717901a5c03fa1e2907c3feb", "type": "eql", - "version": 314 + "version": 315 }, "53dedd83-1be7-430f-8026-363256395c8b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "83eb2f905a505910e8693162369ba3f7e06a7c2f331aa002af5bb31379c6e46d", - "type": "eql", - "version": 7 - } - }, "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "9ef3f604c40a90763ae7818ac31b2169a1d0f2b10c955d5bb5df363016648099", + "sha256": "313ed3f946d625de448ea2a2558dbeef4e57f56eef87c1f33840d3024b19ef67", "type": "eql", - "version": 107 + "version": 108 }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", - "sha256": "af9d57399895c1474ce02d98053dee54db65bf201345fb22036a0935476ec4bc", + "sha256": "0a0b4adff81510159724184176a240c1f49915111890c72fdb528a94ecc85956", "type": "eql", - "version": 2 + "version": 3 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "44240eefb782b212aa0e92aa499c5c53a15dd47c2d5ccd8d5bbd7e730a2ced0d", - "type": "eql", - "version": 112 - } - }, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "b7dac84100da5dd86f5b3db2e97a9c0d5bbc086be021a8d71d6801723d7317ee", + "sha256": "33aff5a5dbdf40c09777323589140e2d6b3246324468ae0afea47dcd15ac4ffa", "type": "eql", - "version": 213 + "version": 214 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", - "type": "query", - "version": 9 - } - }, "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12", + "sha256": "eb43898b40f868859dc0b7dbdf1cd88220d2f8f31570ece3d3fef43b83fcde48", "type": "query", - "version": 210 + "version": 211 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Network Logon Provider Registry Modification", - "sha256": "c1d15e3f87d0c06656e38903de062e3f17bdbd3884c26fd330cb747036019545", - "type": "eql", - "version": 114 - } - }, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "dccddc93820e882a05daa4e44e2f269398b302098bbe00d5c1571ffd86581be4", + "sha256": "5467332918c4a20cbac2a7d8ffe8762f3cc20bf03130f30d1249b2946966f0d7", "type": "eql", - "version": 214 + "version": 215 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "24bc059a551799ed770e0ee2992748c8016fcfa722ee640541fdedaa89f5f742", - "type": "eql", - "version": 113 - } - }, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "b10f3813eb60fb8a4796ca8688b2974490c44a482dfe032445b15a89e06b3e21", + "sha256": "cf0c2fee3a0cd67ed59b810b60cc0548aab8b229e97754a29fecf0e91a5a96e0", "type": "eql", - "version": 213 + "version": 214 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "PsExec Network Connection", - "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", - "type": "eql", - "version": 109 - } - }, "rule_name": "PsExec Network Connection", - "sha256": "90e3f23709d14c16e8714247d3a94ee747ed3ba8514e76d2416f0bd1e9b650d5", + "sha256": "ebc7adabdd10f9bdb8a65c5498ea66459313865b324eb852230ce6878ae4beb4", "type": "eql", - "version": 209 + "version": 210 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", - "sha256": "312e779c5096313dd68712aec37a208169b7e7e58d9dc4a1362676776d5745c6", + "sha256": "471839bf4798d023db9ae1ee115c090513f2898049229d75a07f6a59ff5f6071", "type": "eql", - "version": 2 + "version": 3 }, "56004189-4e69-4a39-b4a9-195329d226e9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a Host", - "sha256": "20041d45b1675b29ac029036acb9a791d296507da6fc2d342c22e8ae9d37add9", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Unusual Process Spawned by a Host", - "sha256": "3910654eec2497e6c45f9eba623296d166de75f2bf26bf5f27f652de0fe602b3", + "sha256": "5645ef43d720db2f77ca06b00e8e2b7640a5d30ce70170996434a0864e0d2663", "type": "machine_learning", - "version": 108 + "version": 109 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 103, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", "type": "eql", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", - "type": "eql", - "version": 106 } }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "24cd1a2e88464e024bd2f2db03af2a5c5a1557c9233a84b3fa95a40d618a5b48", + "sha256": "80cc2b25ba68f1c7b6eb7e108e7455c72ece4b63d0cfdd3775bc0a7a9995e115", "type": "eql", - "version": 207 + "version": 208 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "844fb3c0e49c833039ab4433243235fa41c2d67fe700084b9c97c8c5d547ccf1", - "type": "query", - "version": 109 - } - }, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "030111f201bee8e956cb3823673b4ed80b1ede153ea729464affed575da4b983", + "sha256": "2fa80b00741ceda859cf03dcf379557efa939fd70cc63c7c9730b802c2569352", "type": "query", - "version": 209 + "version": 210 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", - "sha256": "6f18cbdc2814670890459e8a1b80c7b8bfac998d71d67c250ffa5a3017a0a95e", + "sha256": "e06284802e2f652dade4251ee26be279b63c230144fa84d9b06a42c9c190769c", "type": "query", - "version": 207 + "version": 208 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "a9bd29a0b1111a010696c79f5347c1e5e60dd3a903452b06964302229c7bfb2c", + "sha256": "4552ea472655da2f7f3de3c916d8f2e1f844b79c8a1d0023acf141251203ab08", "type": "eql", - "version": 109 + "version": 110 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "50c3afa5e3c557336820b41946ef7d0889d9f7002f614b9bc7a0f6216fdb24de", + "sha256": "552064e8ccb59fea38a54063c9a12f8f45fad7326c22a8ec007af7f1f747abac", "type": "query", - "version": 105 + "version": 106 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "PowerShell PSReflect Script", - "sha256": "9075bac2c658f9cd09ae5480d64a0005ed4877f273b113b12c5c9d38098e5c35", - "type": "query", - "version": 112 - } - }, "rule_name": "PowerShell PSReflect Script", - "sha256": "60ce649f4376763aa71d2a2bbe3126251aafabb204c1bd51614fab34b09fccd7", + "sha256": "7d65cb772d7833f8e8d1ccfb0113c318e49be46078237b6a60503d3de0f83d50", "type": "query", - "version": 314 + "version": 315 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", - "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", + "sha256": "d507423d52c101f79911ac9a4d9a816e8514259a155969b5524a8c1a3ad4f7be", "type": "new_terms", - "version": 105 + "version": 106 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "5ee4cc1bef3bc0cbb466f51fc238d7ea3789de02607f24d664300a4cd08147f0", + "sha256": "c9cb88e4bd0585dc8a0715f878f7680ab47572e25c022a085b4c15de1d1872ea", "type": "query", - "version": 106 + "version": 107 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "cef2f25973f7650fc0b3c4e6d49eb118a5216965cb85cee1568ac3a5e26bb119", + "sha256": "c7c3ab0c50a276ad16b97c50145d1b1c44b1d09b2582d5f75868b68006f33c2b", "type": "query", - "version": 104 + "version": 105 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { - "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "398d5eb8f8ee0c1a9ca69806e64a8879579ab03f3e2f5a29a66c0da240018ab2", + "rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted", + "sha256": "3bd9b9806211bae844f9347ed4eb988226cd963b3fe8cc76596faa1db1ae1d52", "type": "query", - "version": 103 + "version": 104 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "PowerShell MiniDump Script", - "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", - "type": "query", - "version": 110 - } - }, "rule_name": "PowerShell MiniDump Script", - "sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a", + "sha256": "1cdf89702f0697b9beab963d62baea5ad000de479006ba84cdabff818dd622dc", "type": "query", - "version": 210 + "version": 211 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb", - "type": "eql", - "version": 6 - } - }, "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932", + "sha256": "0395ec676101a0b65b0e8c71830e3404fb11d713df56edfac7217299d254ec8a", "type": "eql", - "version": 106 + "version": 107 }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "7d36f22f3ea3b4008813322aadd11c5d337d890ad99892df41b2e3154c755ed8", - "type": "eql", - "version": 4 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "fdd70a684195301172c2093025954070437de67b7110b4c2fd82167df76f3b5d", - "type": "eql", - "version": 104 - } - }, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "c1df3f0030e17676949facaed1368a9f13c67cca442f5b94af0920ed85092de8", + "sha256": "3d800d25ede9e201b1eb67e28c1ca88f34e874a8e41e61c4312a523270b18d39", "type": "eql", - "version": 204 + "version": 205 }, "581add16-df76-42bb-af8e-c979bfb39a59": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "6165559b4653bf1ee1706a1331a547f918100b0ced5790793d5e5ba4d729ede0", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "26274955479837e6e770a906ce9ccdae8b70df5dbfa218c458061353440320d2", - "type": "eql", - "version": 214 - } - }, "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "dbac24b6bdcc3636908b11a2fea993e83836aa3541740fc494bfcba3de51d345", + "sha256": "b966b5928c2ae3e6057e3b9055c50204a2c4e6f259216a86da3092adcaa38613", "type": "eql", - "version": 315 + "version": 316 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "RDP Enabled via Registry", - "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "RDP Enabled via Registry", - "sha256": "ad5f6e2a7ed2a334c068a318cce1628f5eba03cc5188384b8936624810b633fa", - "type": "eql", - "version": 212 - } - }, "rule_name": "RDP Enabled via Registry", - "sha256": "8aee0c8639f2f4bee943504b9828ddebae9944ff41119c3a2b4d0fdaa1354f6c", + "sha256": "b0a1a4a3b540be5cc831e650310e36457597b79bae02bffaa3958db0f01821e0", "type": "eql", - "version": 312 + "version": 313 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -5651,444 +3206,255 @@ }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "274d6dd045e0bf970b32a646a70634ee7ddddc23721c1271d9e33bd3da440d40", + "sha256": "4a7ecfc0acc0b3314e2cb99443265c34fbbfb0c7265c129c2b57452feb77fa24", "type": "eql", - "version": 109 + "version": 110 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "c2dfdcdc1b0d76b1a905b8e67a67d188594bb8b4665a8c1750ce8e92714325af", + "sha256": "45fd6eb0302259c40b7df9278aa55cda22b3c0a5a3281f571eccc49a13c5ae11", "type": "eql", - "version": 112 + "version": 113 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", - "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", + "sha256": "3814ddae55eecd6ccd1e6ded92e4399f2ba98fc0ec0163476933a69aa6f7e140", "type": "eql", - "version": 3 + "version": 4 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "81b57999573c8fb4a7a366594f25ae06a0af08d40dce604d87d7a8f30dd943fa", + "sha256": "8fd6df132395f02019a63751ff8b5f3326db07419de64b7ca6451c1c2646bc5a", "type": "query", - "version": 207 + "version": 208 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", - "sha256": "57e2816be37db7fe8b97b74d890f5f1c173f9f98635f900fc0a239d93de116f9", + "sha256": "983d0a5e4ac01af8b12347c79b4947ce5b9060a519135345b017b3e0b6a9a04b", "type": "query", - "version": 208 + "version": 209 }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "62cd203498ed5ec9c26690e7c2c202cf2cdb234c9be6a775889f5d2458744366", + "sha256": "3d694be2eaff2d6e3996bee8bf38811d409e34d92d79716a331b706e601ae02f", "type": "machine_learning", - "version": 106 + "version": 107 }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", - "sha256": "c65dca5d2ab212399ddf5f197ae8f6b71543e67dc4c506edba0250e81a48ba75", + "sha256": "bb3edb6baa2522b16071a08dea8797cd6ed90448ce2cab7815409a8741e8d789", "type": "new_terms", - "version": 2 + "version": 3 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "8662d51b058ba0aaa8beb626fa104c2c7f6ee6f1970db79c6ab2615a567e699f", - "type": "eql", - "version": 2 - } - }, "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "8396ecbd7798a0b4e17254a7e80dffd7b731859eb3d11dbb07f51ddbfdad095e", + "sha256": "136641d922ea81b41c2d4d980f302dd943c57993c1fae9eb51d4758eded9b880", "type": "eql", - "version": 103 + "version": 104 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "195101291410db100f83b2bbb0bb45a23a5d3c84f0b3cc59e3e80543531dd5e1", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "2213291fff0bb1ba56efbcc8b9b3bbeca328b89b52cf3e419b4fb6e70936dad0", - "type": "eql", - "version": 210 - } - }, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "0803f03287c0303a478d35d524621cf58ec5e09afe472fe968a33d05b1f8e025", + "sha256": "85533c18602ad1d1ea6c6b925d721d7ed7849d41856a90b848f7e6035eca13f8", "type": "eql", - "version": 310 + "version": 311 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", - "sha256": "d34a8290b7fcc098f29ce0d6bb50b467f7bee1c71201258899338916a3019e66", + "sha256": "324f05ff956b4ed13cf5efe7f9c144a90d31c5965164c75200e45f4bcb0ffacb", "type": "eql", - "version": 10 + "version": 11 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", - "sha256": "797af136476a4575466ea7dad526fda9d5328930d8f9985a260e5e1177223225", + "sha256": "b10c9dcd5e2e0c8f11e4eeefeeb39407f7dbefa973965f6fb28e3e0e452e1c5d", "type": "eql", - "version": 2 + "version": 3 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "bf4217022061a7456c301cffe1ab6dd6d9298a3c45e206c125c42667862de6e1", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "135b3d3e2b3be70b8da8cfd2806556b9b14bc02f669d6789237a56b36d345398", + "sha256": "8233f0d545eccf0a054d4f4a0e7e8087ab3b8f04fd3ed84fdde48735ff956d96", "type": "eql", - "version": 104 + "version": 105 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "8a9322fcb0f59a2f5ade44ab323e0b057c6019500063a9e67db93eb954461718", + "sha256": "385a13e8bb8ea7cf36a6d4e4359358e5ea0993d551cf6b7347577c755e504f3b", "type": "query", - "version": 107 + "version": 108 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "f758d94665be51996867211777d79e6aed92bf1caef03e695a48519325656443", - "type": "eql", - "version": 209 - } - }, "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "f9cda122a401560f226e7216339accbcc62094bdba84a4debe35fbdecaf48970", + "sha256": "15fdadb012518197ee92f767fd9c0ed33cec48d502fe77bf16aaae7f877f74aa", "type": "eql", - "version": 309 + "version": 310 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "6a40d4a3eb8956f0fa86900cd0f068813b708cf72355b20a006a4ae024884b63", + "sha256": "ae2a367bd0f05bef598e93c0b67f177939693c5cf852a8d959cbac4f09c90b3d", "type": "query", - "version": 109 + "version": 110 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "91750adfc2612e0725d0e74eb5c05c29dec1b7871b12e1e2ec38f409cd0f1e08", + "sha256": "2555ff07654075cd2782774bb77957e33d6baa2b407ca04f05adf0de27fcd06b", "type": "eql", - "version": 8 + "version": 9 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Suspicious which Enumeration", - "sha256": "81bdb21ca450212add8a85c321bb3987998e8f5dada389fbc8a46fa1d740581c", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious which Enumeration", - "sha256": "8c27bb4dfd65956ad41dd52d71f7c946aaf21e52ea1956d82fe54231ac8a17f1", + "sha256": "6c8c45c6688ca2ce03eea4a7273b4711f78be8463d55c615fd901c319a1a5cae", "type": "eql", - "version": 109 + "version": 110 }, "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": { "rule_name": "Successful SSH Authentication from Unusual User", - "sha256": "40fa48cc277baa4a3bf1d1a7c0327ead2b79f87965fcfbf584cacd0e22728e2f", + "sha256": "686aa62b03ad00075ae2590784e868db541f0c68b7f036db6e601b5ee7e366fc", "type": "new_terms", - "version": 1 + "version": 2 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", - "sha256": "54ef71a878f44875c6c8792e51f8923f0cf6fc9dec2a549fbb841a11d2161f25", + "sha256": "8aada95c6027eb049c8ef8eae925989f12a016a8c9b1c66b1245f18469260088", "type": "eql", - "version": 6 + "version": 7 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "35874a6b3415659603a51352ab4aafe03d8e2d816f25c4f343115687e555aa00", - "type": "new_terms", - "version": 115 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "5ca5d9dba9c3eda093b2a3b2260982c127108c3167436867c912cf29f5129f87", - "type": "new_terms", - "version": 215 - } - }, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "4dcc839828bb5d7e479b5816322bbc8808ee054bc913c811cd9690d54c57ca6b", + "sha256": "ad3599437f6b6a09798ab143e5d2cc53345ee50743d23511022a25d828d7ccb5", "type": "new_terms", - "version": 315 + "version": 316 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { - "min_stack_version": "8.13", "rule_name": "Boot File Copy", - "sha256": "24d0894ed6959d5f54396c957e8dcd3de231026e473c753ef10c5c033f991857", + "sha256": "b552d2a78e113741448435258be12572c7abc86e11608544941331ecc9d13f78", "type": "eql", - "version": 2 + "version": 3 }, "5bdad1d5-5001-4a13-ae99-fa8619500f1a": { "rule_name": "Base64 Decoded Payload Piped to Interpreter", - "sha256": "505425e6327e3d05dcc6caf8246b1db4d9218e3e065c0571752e1a4d08415418", + "sha256": "9fcc2f0258d68ac025e1308b59250debf20e1032927c9e79f862548e8d877416", "type": "eql", - "version": 1 + "version": 2 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "89f33201ad4d76858ce52afe371130935c8d2f202139ea266bd17c9ac2488519", + "sha256": "b65dbc5c1b6a86fcb11fd26c0ce1715f92022815dde64b619dfa3188014a1b72", "type": "query", - "version": 207 + "version": 208 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", - "sha256": "e030a36c06a00dbb591951c1c87280a6f2afc1b155d67ecb00fd451bd084cce6", + "sha256": "e5b326c8a0f31d672aa1c14a9ff16fd989f23fcb9a2011cb3bec13d1b792f905", "type": "eql", - "version": 5 + "version": 6 }, "5c495612-9992-49a7-afe3-0f647671fb60": { "rule_name": "Successful SSH Authentication from Unusual IP Address", - "sha256": "f0dcd082877a3b41e9e087c850fc3181ea1567d69e335d54002b6dea98c19574", + "sha256": "078138cd9496f1183dcdcfad3dad8c3c172a4dcc17859b64109eb9fe681cb5b4", "type": "new_terms", - "version": 1 + "version": 2 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "5ae470e75de9bdbb84070a55c7cfbd9143654a72f9e9193782aea6145b12fd1e", - "type": "query", - "version": 4 - } - }, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "d4ae42e3bddc23b1b5b75d60e725076a3baf37caeae03e0794a91fa47346aa02", + "sha256": "a4945cf7c012f4d229f0adced1a4e683d95c469a694d4f0ac142ac40d9549d9b", "type": "query", - "version": 104 + "version": 105 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 112, - "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "7183be4ca315578faaa377e9a60195ad188e37db8da8a104b351536251c77267", - "type": "new_terms", - "version": 14 - } - }, "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "fbe46096710062783651447c684d4a0479eccefab66ff761ebd9bfef6428eff8", + "sha256": "32257f6514346a05dbcfecb5ab8374375d1a61bde89f35e9b543417dc9e86688", "type": "new_terms", - "version": 115 + "version": 116 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", - "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", + "sha256": "364ec495241b74ef57f8c17608ee0355fab428420ec1d1f2fa6e1221e017e550", "type": "query", - "version": 1 + "version": 2 }, "5c832156-5785-4c9c-a2e7-0d80d2ba3daa": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "5236ec39f5b96c9f3b575a920dbd695b7473c5bafe7625e03799f60d559b28e9", - "type": "eql", - "version": 2 - } - }, "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "23f889cc4747d5ad5d505549b4301b18abb715f10d21b48a1c87dbd95cef2f29", + "sha256": "291e57801af57d2170b6267d50e11f9ba6d66956019ed39a7de7b7df55663d27", "type": "eql", - "version": 102 + "version": 103 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "dac377b1d7e688c590f3961e984193d99e548ddf1fa5d9298d724d251cfb7b4b", + "sha256": "2eaefc547f7e0d2f831383c6c2e75cccc07d1b329a6a0b8db1eddf86ca7ce725", "type": "eql", - "version": 8 + "version": 9 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "6699f13d1830f5c9e67d20ffe8e3c35f4cabefe9e630339c8541bdbdff752085", + "sha256": "c2e7104a47c04957ed4c17bfda2f8b427f0abace6afc9048d1672b2d57f1b4c5", "type": "machine_learning", - "version": 105 + "version": 106 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "5be300eea96d7d3fff01d8e2f1ce70318e82a027159669467454f10cf243e208", - "type": "eql", - "version": 8 - } - }, "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "c5995d0265ad4c7e35124856effd41c95caad3e3178a67f3c5bc6122df89e317", + "sha256": "3e22e58509ead670900ef3b2cf1ec73386d426a7124d162da4acfab1f4ba07f7", "type": "eql", - "version": 109 + "version": 110 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "881e17596c2ce4e314625942adb04235a12e70f19501ddbf53391bfe02dd03f9", - "type": "eql", - "version": 110 - } - }, "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "9861068f16d7c13e90230fde674392101cfe9ae5e74dbda9522097093911536f", + "sha256": "c27678790851c619276ba3a832135387bcdc13a105af478618ff8d0d2ab2e902", "type": "eql", - "version": 210 + "version": 211 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "User Added to Privileged Group", - "sha256": "70bef882918b9abe618227f6f577a2900d5d565d841c12e47a5347e679d614d3", - "type": "eql", - "version": 112 - } - }, "rule_name": "User Added to Privileged Group", - "sha256": "ed8120399b57c0837fa2a1b39a25528509b6f5683cb379f1e4fa6e37f0133c19", + "sha256": "9f46d8326f779f8f6c96f8ee4ba9b406efbe4f690c1ef2b8914e3db671c2c2b9", "type": "eql", - "version": 212 + "version": 213 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Persistence via PowerShell profile", - "sha256": "e2a9084a8e3062415cf21a33d22098b3e31cd354006e57075af67e820641af92", - "type": "eql", - "version": 10 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Persistence via PowerShell profile", - "sha256": "0383a8c5a6705916613f80d301ca0dea35cf7ff7cb13b719320e19c6dfeaffb4", - "type": "eql", - "version": 110 - } - }, "rule_name": "Persistence via PowerShell profile", - "sha256": "0f950647d4f0916286902132be8dcaec3f65ee3132b998b43e7eeb93677cafe5", + "sha256": "1bef26641580680432e671a6677d22250fd7fb2baf3aaa774e71337baf84f4de", "type": "eql", - "version": 210 + "version": 211 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", - "sha256": "3bd77e64972d14a4d804669114ba09690953c6f7e3ecc837457651ea6a58dbf2", + "sha256": "3f05641565c9c3589cffe2565e66ee80a59e9530c03af2bfb90edaf8c0319b99", "type": "eql", - "version": 109 + "version": 110 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "975967ec3e4989e05b906196e1492ea1f24ac1162211d54845e8c1f682036f71", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "9ea148fb05f1ad8bad2d0c5e98ede34ed27187dca9e159ef7197a3c8afe8882d", + "sha256": "8d02f7b3e3cdb4a68eccb8b4902740fc4b6b6cc80e626017b623d530c15745bb", "type": "eql", - "version": 211 + "version": 212 }, "5d676480-9655-4507-adc6-4eec311efff8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "8f2d6fb941f3e9f2fe599164f806804b1b09b4c08131d79eb3e7ecaab5034c05", - "type": "eql", - "version": 4 - } - }, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "0e908a21b5f00f708db56a1f494aafbe52a203ae6f332d5e4e763103aa53e03d", + "sha256": "ee83db2b154abac2ba7e1c34404a432af47b527800505760197b6ab37e8ca69d", "type": "eql", - "version": 104 + "version": 105 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "cf8318ce83d960276ef1ade7a60d590ea666e5f242ecdabd0a9a6c7daeb32e1b", + "sha256": "f2849dbc38b3e9d369abe4a4bb01628a11289f4398627beacdf643f358f0a0db", "type": "eql", - "version": 108 + "version": 109 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", - "sha256": "e9ecfacffc915053d9856796153aa7ce7cc98c60c95d4de25a4d3f6307b6baa5", + "sha256": "a53059e3110b31779fa331e2a7c87cb90588c3d15809045eb8066157aedeb8e8", "type": "query", - "version": 107 + "version": 108 }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Memory Swap Modification", - "sha256": "d3233c88cf4a2b91daeca4e6247bb3758023b234d009f522b19223f87aeae20f", - "type": "eql", - "version": 2 - } - }, "rule_name": "Memory Swap Modification", - "sha256": "9b2b90fcdbd4c8d61fb415c8648a5fbb45acf0f721bc6639adae981cb9d9ce1c", + "sha256": "d38345093a1a35f661b09b2d4f917c7a6778b6ed4328fa41dafd857c375dcdf0", "type": "eql", - "version": 103 + "version": 104 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "3ebdea07f4ef0b08b17227bc1a2482fdf6678f10abcacd02c0a85dfb400a1501", + "sha256": "759c77f0b0e98e074935bac3a71acb4717c13cdb738eb3d977324da06ff19f7c", "type": "query", - "version": 207 + "version": 208 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -6096,123 +3462,72 @@ "type": "eql", "version": 100 }, + "5eac16ab-6d4f-427b-9715-f33e1b745fc7": { + "min_stack_version": "8.18", + "rule_name": "Unusual Process Detected for Privileged Commands by a User", + "sha256": "9d3e18ccb4f8aedb87d784b78e778fe6efd142110e8d7813188f68db71cb1cd8", + "type": "machine_learning", + "version": 2 + }, "5f0234fd-7f21-42af-8391-511d5fd11d5c": { - "min_stack_version": "8.13", "rule_name": "AWS S3 Bucket Enumeration or Brute Force", "sha256": "e65db1e4cf78b27ce4ca6092bbbb6900c749dbda0d96ee608ec1954757cb9862", "type": "esql", "version": 4 }, "5f2f463e-6997-478c-8405-fb41cc283281": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Potential File Download via a Headless Browser", - "sha256": "4d8ace1351c9ae35691f8b6021a49e99b73411ceef1141b2991a256639c06fc2", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Potential File Download via a Headless Browser", - "sha256": "5bd523abcb57834d143196bb1efad15e311915b353c6a8159fabd756bae168b3", - "type": "eql", - "version": 103 - } - }, "rule_name": "Potential File Download via a Headless Browser", - "sha256": "8fdd339fa138d8d7b032a8bc819f24702be2d259fc4e97147f80ae3ab81d8bae", + "sha256": "38126a1ab4d00fdec05a14003e00b3b4d770f8b5e2bd2863f0ddde639fae896c", "type": "eql", - "version": 204 + "version": 205 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Docker Escape via Nsenter", - "sha256": "453ade8392dd064ac66baaea865224304bffe2e8afac34c7811e8776d5989843", + "sha256": "81f443c1c651a8a622b84f566310c318819904d1c4782ad6e6422c12e42aefa1", "type": "eql", - "version": 2 + "version": 3 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "75603330eba99f8199e1a118a71eca46d7c50d35b4cd605c1dfc199a15028b4b", + "sha256": "56250f67c39b58a0b9d4adccf367a6b06f68f65fbbd6bd334150a6612562fb93", "type": "query", - "version": 103 + "version": 104 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Azure Service Principal Addition", - "sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2", + "sha256": "01cd9e45bd5a05aea9099c67847816a2a23d7b76a986d288bc67b2cc014d3a09", "type": "query", - "version": 105 + "version": 106 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "083349bd92f7b6c0a756f5a62567cd8c5a5bc5daadf1eece6de8e8e79978a41e", + "sha256": "383588a0e9ed02bb43d50d15a099c4088d686f44341fc16205907099247d993a", "type": "query", - "version": 207 + "version": 208 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Unusual Process Network Connection", - "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", - "type": "eql", - "version": 108 - } - }, "rule_name": "Unusual Process Network Connection", - "sha256": "03650e968a078c275a50bd1b08d8a8390430cdb53c2723595bb0b572350387ee", + "sha256": "e679c2af22476b8572780f9fa6fd67aca3a9d598fbf710f4b5de686bf91aef11", "type": "eql", - "version": 208 + "version": 209 }, "61336fe6-c043-4743-ab6e-41292f439603": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "New User Added To GitHub Organization", - "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", - "type": "eql", - "version": 104 - } - }, "rule_name": "New User Added To GitHub Organization", - "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", + "sha256": "c109aefac08162736f1d0b056a29048580f89ee3661e69955f567d2c979d459c", "type": "eql", - "version": 204 + "version": 205 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "132f771ca6058156fbc2c515ad591010a1372d2130f37e7a4b0526d53e0d792f", - "type": "eql", - "version": 6 - } - }, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "1b2b6ec043b9c401900e0918a2fb67d9490780c167321cd5734b6bdd6147069d", + "sha256": "f47bd1cdb2e6f7e61d1df1c4a733a5dd2634244b432b27980719a82ad54a5ec8", "type": "eql", - "version": 106 + "version": 107 }, "61ac3638-40a3-44b2-855a-985636ca985e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", - "type": "query", - "version": 114 - } - }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95", + "sha256": "b258c3989f06692676a1d2dcf507b0454c6c4b7a4dab35a7fbf06c8fba260fbe", "type": "query", - "version": 316 + "version": 317 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -6221,174 +3536,116 @@ "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "2df55d0ae697d20c47f22d5c616f9c06bb6c4c9fbac2aebb282caa3d9f7e4e1b", - "type": "eql", - "version": 113 - } - }, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "d6c2af1422e393b85f9523ce6397c2b4b28e15dfb8af6ee48a91d496db20160e", + "sha256": "738a82e0d7e2b90c4c2cc86d4468cb1ee62d700fd71ed7d6c9d5b8271f41008a", "type": "eql", - "version": 214 + "version": 215 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "f472608d534083bdf5f50a92951a81599a2b3dce40e413de960019aa9f7435f5", - "type": "threshold", - "version": 6 - }, "8.14": { - "max_allowable_version": 205, + "max_allowable_version": 104, "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "aee13957217142915e900a15702f1683ba54b1c488d13e92b73e3d8e866779df", "type": "threshold", - "version": 107 + "version": 7 } }, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "12e0d0b72f404e2086dcd9c36311a6eeb68c65979ce775064dd5c6ea06953106", + "sha256": "57fa7b1a78c0c9221c6f6ee7e3460a6587dada722c790a97d2b5030e39a994c2", "type": "threshold", - "version": 208 + "version": 209 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "facf2b369187ce8da1649950be8b3e38f3c4c1ec81f490fa646827baf5d2427a", - "type": "eql", - "version": 108 - } - }, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "2b2a1dca315b2ba3e10a64bdd41f6a67b6cb64924ac2ef44668a7ec80657d775", + "sha256": "a02b89ce490f772951d8d25b2d2c03461924b2bd3d40b49c156af5bea19a74e4", "type": "eql", - "version": 208 + "version": 209 }, "627374ab-7080-4e4d-8316-bef1122444af": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Private Key Searching Activity", - "sha256": "d14cd033b213dd2aa22e191e4316a3e9399efede1e2a54e6b84c28fc98e43248", - "type": "eql", - "version": 2 - } - }, "rule_name": "Private Key Searching Activity", - "sha256": "ac4b591b30cbfb1cecd4fab9a4c521aa12bf95897eab976edf79d520b5eeedfc", + "sha256": "a704c4896b6f6e960f8b9ed621ea772d85e5bba01e724a0ba88eed98b30a9ead", "type": "eql", - "version": 103 + "version": 104 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "7d8a44d4634bce7a7e5cbf983f840157836ac6945cc140dda1a4f4a3b3b0717d", - "type": "query", - "version": 112 - } - }, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "0a9b61cf366ce557e1ff625d9c47759506bc34f141b9ebf3602cf3e96b781ef0", + "sha256": "8359664006bb4106b3b48e9ffadbffad8845d8337f6feaffd9924c692455c185", "type": "eql", - "version": 214 + "version": 215 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", - "sha256": "3a95ccdc273d7d2af093ab0c0445370fc790147be6d43d2a2edb2b9b3cdc82e0", + "sha256": "a377a72935325989cb64821b5a77f4b0b182be65365d572c09d8408a2be20b6e", "type": "eql", - "version": 6 + "version": 7 }, "63153282-12da-415f-bad8-c60c9b36cbe3": { - "min_stack_version": "8.13", "rule_name": "Process Backgrounded by Unusual Parent", - "sha256": "208219618907f9af2a97a782d360496106265946d0d6b37aa5eb4369f2bd210a", + "sha256": "1dc6284567b86535a0b9ae52e43d907bac1d8fbefad60590e63efd2a1cce8515", "type": "new_terms", - "version": 1 + "version": 2 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by SSHD Child Process", - "sha256": "886e2ce498e9e513fd0cbb827b2670aecc14f0622b71977c7d5a5bbaa36f7faa", + "sha256": "3be244371121f943af37ff324d033d1f254a292e42c239302390d38a71903363", "type": "eql", - "version": 5 + "version": 6 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "53a873d39857e58ee6e4fc5b7399e895bb152e41c1ab935663837628267e4ec7", + "sha256": "6cc2b85abc856ecee47f5783a273c635645df17b12213b53ed6c3f1a8908ac56", "type": "query", - "version": 7 + "version": 8 }, "63c056a0-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Denied Service Account Request", - "sha256": "c8d9810184ef49e7246335b18a3ee60393d89ef7ce8f918026a59c34bcc38064", + "sha256": "52a2463b1d63605d364727b453247677d56b890b037ca3e9e5bc6c33ae2818f0", "type": "query", - "version": 6 + "version": 7 }, "63c057cc-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Anonymous Request Authorized", - "sha256": "17099608b9a995ff056b49ffa5be61ac5b2aa1b25812fa9ca68294450e48a050", + "sha256": "2a0daaab9bdf286454187b2a496952f4e30b2ef4e7ce3346aefd3ee02016d3c3", "type": "query", - "version": 7 + "version": 8 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", - "sha256": "87515f0a24197442f6f6ca7b485c9863754def3667a803880b4481e5a084fdff", + "sha256": "cf9d8399e9c5bb19bf4116011edb8c7c502e5d0a3d0a9a453edc91325952fe8b", "type": "eql", - "version": 3 + "version": 4 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Signed Binary", - "sha256": "66192fcde84de1d9b0e809854015279f1016447b2e2de3d0f3f81aad88df91bf", - "type": "eql", - "version": 109 - } - }, "rule_name": "Network Connection via Signed Binary", - "sha256": "dbff3c36a4ce01428dd306c519a48b7816f503173ba63ff090c31c9719748cc6", + "sha256": "a271624352a20c656822ce6fea06ac16aae587db844fade2aa7162a89946b0e2", "type": "eql", - "version": 209 + "version": 210 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation or Modification", - "sha256": "14d6857ca9bf0ec373fc9399d4434a2ab8bdeb8dcf682ae5b097bdf43ba2f501", + "sha256": "2badba4c6ee2a5d53d045080729daefbbe9563d69f7f39f8bfa011949d2437f5", "type": "eql", - "version": 4 + "version": 5 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", - "sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7", + "sha256": "0571b544fa0c188c57a4a66ceaa2027d254a6b95c2ec70b7c1e13b67e53c8184", "type": "machine_learning", - "version": 105 + "version": 106 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "83a660084e9cace9aebc80260a7b32dde9583c295a54c288ca8cd2bde4522611", + "sha256": "a52809d9c8de6114055feb73cbf0494b247f47d349d3a8cac59c90afe16ec706", "type": "query", - "version": 107 + "version": 108 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "1af56461ac06d32d603787c924153d4f2d4a4db5112a2fd3ddf2d2ecfd214686", + "sha256": "88efdea101d047055d046a4c2f4e82b5e2993fd034067d8166b31c5296a02ce5", "type": "eql", - "version": 8 + "version": 9 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -6397,186 +3654,118 @@ "version": 100 }, "65432f4a-e716-4cc1-ab11-931c4966da2d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "0dec5c209de4432366d522c8479caa203fc027282bbca7df21df60a9a9ff41e1", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "fae229cedfaca7b7e8f9a7e40a573cc0933889bf6fd0a9add01469c2f12bd0bd", - "type": "eql", - "version": 102 - } - }, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "159c5871496b2240dc1edfc09db683fb7932c924589e736eb32c5a80fd21b0a7", + "sha256": "0fd8277fd13e437bef5b06ed9dc8c2c4c1e8d4e8536c37a5d15b97a2b8064380", "type": "eql", - "version": 202 + "version": 203 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "5ba81546094d936ec84995fbcb3e17bf792328c2426d692c1d219cb256fba423", + "sha256": "4194d79d7b88afd047379a3a0c32ae60ef949be5855d8c7bf4bf212641a2f01c", "type": "query", - "version": 204 + "version": 205 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "31e21bde793c13880466715c3089dbc5f61ad8f8d76e83c06f4081ca257d27d3", + "sha256": "879b82156e758ac37b39b235092ce173ea9630a0494e986ac367928295117585", "type": "eql", - "version": 109 + "version": 110 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "e9b5bd05f304afdfc0d3dcad377c1c58b53eff1df8f63974f81a2a09fba0819e", + "sha256": "7c35dad62bc276f36db6ac5f034f7252ee7ca4b50e0ff79f7319395c87c7a1ed", "type": "eql", - "version": 8 + "version": 9 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 103, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", "type": "new_terms", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", - "type": "new_terms", - "version": 106 } }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "b8bb1b1e0023c2ce2967ad5ecc17c016a9de356e9f27d2e9f33c5ba979e7801b", + "sha256": "e50d01a785d24c56f050e71a354ad6bf7852ccd41a8b6ccd6093e33134711415", "type": "new_terms", - "version": 206 + "version": 207 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "WebServer Access Logs Deleted", - "sha256": "3d41e0a751de0eefc517ae323b3602930bdfa24fbf61b7c15235e4be117511ac", - "type": "eql", - "version": 108 - } - }, "rule_name": "WebServer Access Logs Deleted", - "sha256": "c437c24eaca8d8d4b1fbd92c21ca0f8dd61115f3a64e0c02f1e23aa0e428060f", + "sha256": "5a1686bc2cc6942ae140fcf3e3bc0f91f3ab258bbb24333f809939cd1da9bcb8", "type": "eql", - "version": 208 + "version": 209 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "f8282a2d5173fd7e6fde9595c6efa24f5ebe48767db9981ec5a6cadffcfcf341", + "sha256": "b0994e9c256bf82f2a7078ab55a453b58fc71faa62c0a86d816dc08e4d131781", "type": "eql", - "version": 8 + "version": 9 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "676676fdba05827386bf901a05e1f8335bbe5042bc52bc54c688eb0aac55b715", + "sha256": "4d42de3a87ba4b62e9f4f96e2914f969030b34f816a9ce7a6631067ea0c049af", "type": "eql", - "version": 117 + "version": 118 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Linux Process Hooking via GDB", - "sha256": "d6069d2128de9e65240d1c2a03f27f397f632fbdb78102892e58b51e395c942a", - "type": "eql", - "version": 4 - } - }, "rule_name": "Linux Process Hooking via GDB", - "sha256": "6124499edac0ee53fc52e4a4b588db2d5747ae4fb3770c91307fd25814704939", + "sha256": "ac4cb8d5156cc212b1b3c5071a2f67fa640dea941eb2c22cecce2bcba1b14ba2", "type": "eql", - "version": 105 + "version": 106 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "e459e7757af9cf9495f5f49a390b8b7ed17f7d4152b90f74cbae4e4e70c21084", + "sha256": "747216e90616467615966da91395d0e97ccd1258e0edda5d0a9a7d24f3305963", "type": "eql", - "version": 209 + "version": 210 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 112, - "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "a2b0e85ea8b810a2ed22188f8d14303a6077c51b2edeaf8e5f5007a0c9644381", - "type": "query", - "version": 15 - } - }, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "23fbdf47b000d9debd0a1f9c2fff328a61097abfdc687038b0f05997e55b3dca", + "sha256": "c8ba1211ab501d91fe710a8473f0ac5db715a20908234db80806feee1f85ad9e", "type": "query", - "version": 115 + "version": 116 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "79a56d12f5cfae0778882f6215f3767e744601b2d0f0183fa71a191bc5d9a8c4", + "sha256": "6950bd8f7b5acdc4e6a0d84659b020683cafa75b85fc6ac9ccde53630234f7aa", "type": "query", - "version": 411 + "version": 412 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "f899b24ce14bb0d0e1c223537cd020b2b65c7b71ad97b87fd5359b89e6bd2e2b", + "sha256": "294e15f295063610d40cfd1e622dde973cf5c5f1611c6ab08fa5e2ff501086af", "type": "query", - "version": 207 + "version": 208 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "33e8c27c30a851ee7f9d49ed14bb20f1cfb5d370320db326fbfffb9c7b855b63", + "sha256": "0f2ad06c5cc77f391e7f55772e337bbd64cfc4afc226cd938178e6fc3324c4a4", "type": "query", - "version": 411 + "version": 412 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -6586,9 +3775,9 @@ }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "rule_name": "High Number of Process Terminations", - "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", + "sha256": "ef3dc4ca8d694a3e195ed2c268459f97db0d14b129105b7163ad6e764e7e04bb", "type": "threshold", - "version": 112 + "version": 113 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -6597,154 +3786,82 @@ "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Image File Execution Options Injection", - "sha256": "8107c66fd0a677b8966bf0f40409dfdac75050d7a2372a8e4ba10ce0350e6dfd", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Image File Execution Options Injection", - "sha256": "2eb29b66dbef8063acbd04479aaeb1f14fc4d5f7235afe9076fdfc86d199e837", - "type": "eql", - "version": 210 - } - }, "rule_name": "Image File Execution Options Injection", - "sha256": "bebbfc9c058cfc51931d5709b857995da179d43ad8e786073c42d4d74c29ef69", + "sha256": "c7688dd090cd661aff2eca66e51bf2059924445e3da00ba3eaad19f1c061e59f", "type": "eql", - "version": 310 + "version": 311 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", - "sha256": "0c327149e5c49e9161bd8a1ef2fb8bbe117febb4c86c9efcaab8a6dc5890205a", + "sha256": "0133c1530df620c9aede10d009ede3369cce8bcb1204b11d54a37c1a466b8eea", "type": "query", - "version": 208 + "version": 209 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", - "type": "query", - "version": 310 } }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "e40176c9634f6d0f324b5be9bf2cfae0370f3d8fc01188d10e54e5684d5fbbaf", + "sha256": "3a219d0ce5a5da62f96d2914eb1d34ff1ba980d70a41dbcfc8b04a282000d17d", "type": "query", - "version": 410 + "version": 411 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "fb1c6b89350f0562319e1eaccabc46a2a855fb936516da145a6c640de6692808", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "8ef4dbaed0d772335a6ecbc53e69cdd287bf9e163b38772bcb8865cc4488b8a5", - "type": "eql", - "version": 213 - } - }, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "78ed8e3ec78e07b57adeb31da14d9a43326b9262e57f55869c0c2faa91708238", + "sha256": "3a09700d17e19c201f0e3ba8acc141418765099deb01e591e615d4280fca7262", "type": "eql", - "version": 314 + "version": 315 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "6286d75656a1400145ea6bcf0cb02194f46a8678a76395dbace1577060570643", + "sha256": "9c9b0dcb71d009834f27304cc6cf025d237e74a08c9befa3ebda48198b0d10e6", "type": "query", - "version": 207 + "version": 208 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "a55f600e7c4e20a4be4404040ef2bc40bd6288c5aa54fc3a6d52c192f117858e", - "type": "eql", - "version": 109 - } - }, "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "c0988d5971ae4b85ecac42dfbe57eb1514ddc1c13df5f2bba07ca1f2097e2414", + "sha256": "72513a0933347d1c7e89cb1e2a706adbafbb12af6177d397f28a68f38eab5b5a", "type": "eql", - "version": 209 + "version": 210 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", + "sha256": "8a32fc23531d6783c1480f82f26ae473c414bc0278a25af682ee2b2ecffed9cf", "type": "query", - "version": 209 + "version": 210 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "3f6e6dde427189d7e561da47cb689604201870715612cc80e8bc8f4247d1a7c6", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "40a07077d685e3bd7b6fb4cd8efdaeb95c30a8b4ecd82ce33d742d4269742948", + "sha256": "17bc9998b0f70ab57d41296d94019f935a49b000f51137c1a7d7c104202a3603", "type": "eql", - "version": 104 + "version": 105 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", - "sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31", + "sha256": "cf37b596c252270ddd2a2494329499aa66e0ca8535a16193a6d9484df0e05bcd", "type": "query", - "version": 1 + "version": 2 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "88f491fbc91172a9ce530e464d3e41d098720ae427782544b68895129cdc1564", - "type": "eql", - "version": 111 - } - }, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "dd1cccfa31ef19b5a08923452387349ef94bd64771d07f0bea725ec4a9d462f8", + "sha256": "c438188cbc6457b7529595899faa1f9a2ef7b878c99167b808fcfd90fb32bd63", "type": "eql", - "version": 211 + "version": 212 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "9111baa04124fb4545052164f1f94445a22b38269c10ddf9433bccd3112f7b0b", + "sha256": "64661a308df7792c64723043449f28bd3737da218070222290ecbebd0274199e", "type": "query", - "version": 107 + "version": 108 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { - "min_stack_version": "8.13", "rule_name": "AWS IAM User Created Access Keys For Another User", "sha256": "6f69dc6e309b86b281bd3f02594a03d86ba15d5835011a2b37a7ce21f3da291d", "type": "esql", @@ -6758,151 +3875,69 @@ }, "69c116bb-d86f-48b0-857d-3648511a6cac": { "rule_name": "Suspicious rc.local Error Message", - "sha256": "bd61c67f25dedf7bbc88efd6e7088a4f24faa27595c5ec46bfcbdfef30126b78", + "sha256": "be500fa31ed2e7610f2ce0178de8068eacce05c94e0a8ad90763081b5b236672", "type": "query", - "version": 3 + "version": 4 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Modification of Boot Configuration", - "sha256": "ccaafef97b4bdf8ae36b9c2337353a7b352d18f0aeb421cddbace9a8b130b15e", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Modification of Boot Configuration", - "sha256": "6d87681179c69071fef468569680dec1534f711bc8955e8b6bd0c7c1f1865e61", - "type": "eql", - "version": 211 - } - }, "rule_name": "Modification of Boot Configuration", - "sha256": "319d1711a4cf9b2d08557794a1e701ac31b3fddfd811565218a3292242b453ac", + "sha256": "c6f4d7b863441a362f028650028af15af18d0981ed99b1cd5e0977eac3d0cdad", "type": "eql", - "version": 312 + "version": 313 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "e2ba77f3b79dada7823d3ab325dc40c902b56e2272d29bc671c218bf23de24ff", + "sha256": "d60a19ee642774e337fe7e01fe60b153c7ea7410172e9f01a2bd44b682be61cc", "type": "query", - "version": 207 + "version": 208 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Attempt to Disable Auditd Service", - "sha256": "f5fa9bfd7d9d2f03fb2e6f1b264a7b0f0f433bfb3953f27bed2afda53a7af098", - "type": "eql", - "version": 2 - } - }, "rule_name": "Attempt to Disable Auditd Service", - "sha256": "a21ae8ad2d9a9aa7f634479e7b2fdea05a56714d0e14c6541044895377b4f628", + "sha256": "b27ee0b532aeaf6fe5781c8e19b15537934d5d1029d478a5ca4a9d29f7454d13", "type": "eql", - "version": 102 + "version": 103 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "EC2 AMI Shared with Another Account", - "sha256": "7f27abffb5aef9aadc163768a1f49184de75aebae83c4a7addfa275d9395699a", + "sha256": "78ab77a0fbb8da89dfaed837839fb98cfd3e5e86cb400c2f774af111d5c0f268", "type": "query", - "version": 3 + "version": 4 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "5f2f1310bff01d3a4c1ca2605ab01c632f85b21d4078a06cb88c4ffeabc174ff", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "0b7fffd5409c0d916c6b441f0f6eb2c95550d8c5c9d74192d312b7ec442372ac", - "type": "eql", - "version": 211 - } - }, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "f463a7fe6e3b83f613bbd5fe19c3341fc1281b264a8b32289a081c9e9f5748cf", + "sha256": "72d871ec67e3c3b32e2f684de33d2f752c0dea9523ff8d60673fa18c92e900d5", "type": "eql", - "version": 311 + "version": 312 }, "6aace640-e631-4870-ba8e-5fdda09325db": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "9c37ce484fd50f922517f40b9bd1a5a55b402537ccb8f7e8f0b06c3b83261bf7", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 415, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "7c60b373a1ff43f76c7bd51cf35948ea0b81fc7b62b8615816088d88f52bd9b9", - "type": "eql", - "version": 317 - } - }, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "28e4dd54ff6cf9610c2e7f5c8963ff1fb97cfa3c8d66f651ac36754556828b43", + "sha256": "23f0402b094673c301e72c02a64011bcde852ca02f4854bb2bc2b0001e7a3f06", "type": "eql", - "version": 418 + "version": 419 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "1c1d57466f2540ce62774922d5711359a9650bd523baf98fa3d13d5c17151881", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "7ed5babe4ccddd47a42992b6b092c794c17adfe49c0418a399fb645487d38e68", + "sha256": "2b940da99af6da5be5cec8607cd2b873d1ce6703678423d42e945d9a6462bd14", "type": "eql", - "version": 109 + "version": 110 }, "6b341d03-1d63-41ac-841a-2009c86959ca": { - "min_stack_version": "8.13", "rule_name": "Potential Port Scanning Activity from Compromised Host", - "sha256": "74d1c8ea528608283c391f89ec9ff4dde0f4b2322eaa210dd37ca0602055b311", + "sha256": "7967476aa84ae3f64d13f111ff48d8fb56543c10b1177eda3271bbeb2467aa51", "type": "esql", - "version": 1 + "version": 2 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", - "sha256": "09e49424ce202fe6c5b9e7f31510da79059a0617231c4c0022d2c1825ff55f8c", + "sha256": "ad8a5ac685928ee7eee6e85214d3d063d5e14fc094e2cc49c48078b039164ebd", "type": "new_terms", - "version": 209 + "version": 210 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "574bda4d46d48399ba9e29a6e639b33f8f103bb7c85f9e7c935581bb3c63ca37", - "type": "eql", - "version": 110 - } - }, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "29d396b355d7151b61a62895b2862782dd3172ec6fc4a54b25fcdd98c3adb3c1", + "sha256": "443b465e9d1775bdcf67ca30ad1a296658aa22ed9e1b47d51c79f75d6832b4f0", "type": "eql", - "version": 210 + "version": 211 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "rule_name": "Deprecated - Container Management Utility Run Inside A Container", @@ -6911,179 +3946,82 @@ "version": 4 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "545b3d224a0f1f8ebeb0d9f6ca6077c60c57b650d6a3daa51b4a8b30de55da39", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "1b469660f4b28888121b5610c6034c3b0a309f63debe06bd347750f423362cf6", - "type": "eql", - "version": 209 - } - }, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "7d551332f1288a1e8d53bccfab142a72143c5e61a950b05be6f4f8711ba883c5", + "sha256": "3a137af954c38f57c3553ce3f09ae32bc19b9656395d6c5e9dca32c5107088c6", "type": "eql", - "version": 309 + "version": 310 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "GitHub Repo Created", - "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", - "type": "eql", - "version": 104 - } - }, "rule_name": "GitHub Repo Created", - "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", + "sha256": "5f261d172d93059e4468c7b97f125cea4677fd6f21ecde0a3cafe70576fe1ddb", "type": "eql", - "version": 204 + "version": 205 }, "6cf17149-a8e3-44ec-9ec9-fdc8535547a1": { "rule_name": "Suspicious Outlook Child Process", - "sha256": "ccbb9744b4a8108d543d3dfed5c57e1c0ef457154ba3e50c9637f165f3345b7b", + "sha256": "e0bc727265268ef46ee066f8367ccd21b8719e47d6777ca2a4008e1a661682d2", "type": "eql", - "version": 1 + "version": 2 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Unusual Process For a Windows Host", - "sha256": "a84737464ef6658f7587d12e88f77356e079d797986616813ffb6be47e2abaa0", - "type": "machine_learning", - "version": 112 - } - }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "557a4432fcdb67fea0e8dd2558d19664cf507405b6db1317a0c399e9808e851d", + "sha256": "067e60e3529f76d85ec6ba2424a1fa84b62ceb591133efedcd7d4ac82dcc82ae", "type": "machine_learning", - "version": 212 + "version": 213 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "731a803c9a47cb0804d071217c48070afb14657b649da32fe8e6b1c19f24731f", + "sha256": "01afe621c7329469abd4feaa917adb2d5d0a5eaf0ff11b9d2c8ae2fe807b7a80", "type": "eql", - "version": 6 + "version": 7 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Root Certificate Installation", - "sha256": "f8f51e4211d34c59185c437d929b82051162d84c2c026d0a311fd0d6f40f2099", - "type": "eql", - "version": 3 - } - }, "rule_name": "Root Certificate Installation", - "sha256": "f253848012c90e8fdcf02df03d40dbb169248ea5c7555e85d439610392aa81ee", + "sha256": "54f7b6e9f92e4eeb503f11986ef9213fdc49dfbc0d6f7c11c86c27c15321e21a", "type": "eql", - "version": 103 + "version": 104 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "3e70cb8e8c6dafe24f60de10cdfcbe05df8d323ef0caf42790714990ebee78c0", - "type": "new_terms", - "version": 9 - } - }, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "5c822663f4adb4fbe774488dea9f1151737198a06f47eee9a57d3a0cb174fc52", + "sha256": "5e7c8abb091c2d0efea8248769d91217b27d7251c4eabd94800d3eaa077c1432", "type": "new_terms", - "version": 109 + "version": 110 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", - "sha256": "55651a72478c93e332ffd43ceed7bb57e098fd6549e20ff56ce66ede80a49a75", + "sha256": "4daa9b29985cd56c2946128b6b01d78e4ff1a4479b4c86c1b2c27d6f6607a7da", "type": "eql", - "version": 2 + "version": 3 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Anomalous Process For a Windows Population", - "sha256": "aa536cbc660cc56dffc7bd3cbb4098aacc6c96df9edb4d4dbe8f33414448b4d3", - "type": "machine_learning", - "version": 109 - } - }, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "f51d97afdd1733e5fc284af1e741adc641483e82eab7f5fefd10f0447b2654d8", + "sha256": "fbcff6f8e5ef92b8b55c4140588b47b25447ec0dbc49f02591a2dde565e95fd4", "type": "machine_learning", - "version": 209 + "version": 210 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "AdminSDHolder Backdoor", - "sha256": "43aaf38f234d7186a1f9dca4f91a364e5afa675e3cade497946daf63f3b20ada", - "type": "query", - "version": 112 - } - }, "rule_name": "AdminSDHolder Backdoor", - "sha256": "6e6ec5cdbeea619a81df6a042f482c3b30c3e7c536872c640acea2464572e55d", + "sha256": "dae2c4e84e6a787a8e90de99d987e659ae7c8cfb794000bf19edb400a9b441b1", "type": "query", - "version": 212 + "version": 213 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "b756d838cee35d2d74c87c1eb59757651ef01aea7dbb08271cf1d89133465583", + "sha256": "77271ff5eba5d2daaed091b8bca1b8bfae28621a3e5466ed5cf3111c5e3aea77", "type": "eql", - "version": 209 + "version": 210 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "736e277394bca054547364d6d99541019679fc36129d52d20115c635cea06701", - "type": "eql", - "version": 110 - } - }, "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "8c0b8e6ae4907a14420c8dc8d06917470f29f360f9604118f6220115e981bef3", + "sha256": "d940200e0c151d91a754fb7828b3c5f481bfc7aa7d4816db02ea228444c20771", "type": "eql", - "version": 210 + "version": 211 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Security Software Discovery using WMIC", - "sha256": "6d179ca370610d0b32e8d97afeb4610e7efea1ad82eefdd0c4d5eeca33d29549", - "type": "eql", - "version": 115 - } - }, "rule_name": "Security Software Discovery using WMIC", - "sha256": "1eabbe231f6dd025a57eddc91f5f0ab86ba82b348af4ccf02cfd3cd114f7a38b", + "sha256": "e7d70f9ac91f599137dcc428f75ff33d330d18402c3bf351dc6c9bee16707568", "type": "eql", - "version": 215 + "version": 216 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -7092,36 +4030,16 @@ "version": 100 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "eb944b67560451bef538d988be2f0fcfd42f4a6dce1a2f67fc23ef34d93692e8", - "type": "eql", - "version": 8 - } - }, "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "a1f2cd2fc7257d7c204df51ffec3d086f341240896b38551b8acc005408ce357", + "sha256": "8ccf39f93ec5c4c2d2ed235f1f7854085ae2fcf0720454fdab2cfb000eca2153", "type": "eql", - "version": 109 + "version": 110 }, "6f024bde-7085-489b-8250-5957efdf1caf": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "525d8781dc9e163d70a8889b89be269f79c5df5c44403c7e5d713b19ce001c82", - "type": "eql", - "version": 4 - } - }, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "0bf67b434c4aa3cd9d1f354605959c5e1dffd1040f5cfa17fe20664cb2be546c", + "sha256": "aaa6f00ffebf544af41202e0da877415c7b77ebdc9c62414788576d527a794fa", "type": "eql", - "version": 104 + "version": 105 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -7132,31 +4050,24 @@ "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 103, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", "type": "new_terms", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", - "type": "new_terms", - "version": 106 } }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "0168ef278b5ef3a471dd2b3d744d6a2a4c8e112b32f5c1af1e5c6c82a07c9a54", + "sha256": "88b4b80ac12410a09500e544f1721f0bf6143c67a3625d651883e0fabe8400d7", "type": "new_terms", - "version": 207 + "version": 208 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", - "sha256": "6de799b5422ffa174ed80888e29825c58384f7591ac7fadce324ff2fdce2a998", + "sha256": "ca1e6a558605d764fdbf4e8db980533bc0e6dc82331708022fd6938aabc0fddf", "type": "query", - "version": 206 + "version": 207 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -7164,117 +4075,86 @@ "type": "eql", "version": 100 }, + "6fb2280a-d91a-4e64-a97e-1332284d9391": { + "min_stack_version": "8.18", + "rule_name": "Spike in Special Privilege Use Events", + "sha256": "1eafe02f326e050fcc3f03f011397846e626e0936e3415961b6da6be1f9b98b3", + "type": "machine_learning", + "version": 2 + }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "b2f7ce631f07fd56f2182a2d89e94a7b72a8f17e0957f25048b089de04c78dec", + "sha256": "0653484a9b2dfdcfd1436976861c2b7e03abad4c2c81865604a8305028992666", "type": "query", - "version": 210 + "version": 211 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Resource Deletion", - "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", + "sha256": "615ac11b076ba9cdc9fdc4d7582d013a3835c852641e645f0ac25f3a991fb873", "type": "query", - "version": 209 + "version": 210 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Suspicious Execution via MSIEXEC", - "sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Execution via MSIEXEC", - "sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4", + "sha256": "e4fb276aff88c49e206d19472c720f5ee7ec8450150bb56f3470180c7d879362", "type": "eql", - "version": 103 + "version": 104 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "fe89abe29a8070ab4e00e31a6d1cafde62515321d21198ba780381a9cc87d9b5", + "sha256": "b9a6524804cf6d5732f4e9867f3247154b624d69175e7bf9ddee57f47e84a4e4", "type": "eql", - "version": 110 + "version": 111 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "6d5f8124605ee8d89f23173accb268a0822ca4c9d19c6ee69a82b72a054b8c85", + "sha256": "d2634582e51b0855cbeeaa74c2dcc13599e2c9c8299f2ab08b4c2bf501fc5c5f", "type": "query", - "version": 107 + "version": 108 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "cc0ed08e75b10ef23c81e0eaaeaa4a105adead987b36e625e56b5d3fd95293af", + "sha256": "281303ece12ff1f4370db8c2a5a0354994d27dddd2b9dd52cdb5fd5d744e7541", "type": "query", - "version": 6 + "version": 7 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "11a00101c170955ef44f1ca300cced85620dfde179c9eed8484b753c960993b4", + "sha256": "ca02ffd0866a193feb0f2d36e4482955164efdf5c901159d836201aea415ce37", "type": "new_terms", - "version": 210 + "version": 211 }, "71bccb61-e19b-452f-b104-79a60e546a95": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 214, - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "021ab9fdaf96cad949b46c2810f09637e27d34d4870bb4544afe5e33d4fcc8fa", - "type": "eql", - "version": 116 - }, - "8.13": { - "max_allowable_version": 314, - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "b28951fe4ef7053b478f08929474a4220e85d70c52a9d83f2779447c8b6a5cfd", - "type": "eql", - "version": 216 - } - }, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "25b753cd927ee68be264ce3804a09298ae399947fa04077161f80d8f6db87aec", + "sha256": "8914c872080f13e7226e7ae7a230ad551ed66cf086101a3c78eff82aeebd7243", "type": "eql", - "version": 316 + "version": 317 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "4465fa5b7551e881e3e5b66b1cfae96e4f8459191b87e2266b1fc1998c26d690", - "type": "eql", - "version": 111 - } - }, "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "d39c0a65fabb51bbd9bbf21cda120d03b4b1891934c8d8298addd7d3585b1ccb", + "sha256": "fe807016f29322ec6db7ac1712a14b6a26382f83fd36351d350e3fb756aea7fc", "type": "eql", - "version": 211 + "version": 212 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", - "sha256": "609588d90dbd2835f5c9b04e8df9212c06789c253c51493efddb47a5ca0cc201", + "sha256": "6c277c7b478310c94b082e48579702ed2e95c29e43be7a7f417da3a33ae0f06d", "type": "eql", - "version": 5 + "version": 6 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "sha256": "53f2d959afe1859d602b087186c2f25fd816ce59109d230336260a9d4c9c2985", + "sha256": "33768b68f40233990a2c708781ee94008a3911f0b3f008d8cc90654023c96856", "type": "query", - "version": 3 + "version": 4 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "eeedb6e75b8369f569e27869c6d1cfcc66b89f71b4869f6357e49a43538c980e", + "sha256": "b29502d819c200e2a97d893a7c8e9c33905d216f511e60c9c7a7c32bedbd6e07", "type": "query", - "version": 207 + "version": 208 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { - "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", "sha256": "f61560b78b79c873453bce1b3947231b6df1c967d0f2a49efefd56bbfb7bfc59", "type": "esql", @@ -7283,25 +4163,18 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "9a377a031cd4fb9cb9842837169396944442098d99de7fb295b107e286c332f6", + "sha256": "59c79dedfd242d711586bff0124ee2064cefcdd1dd91a6829ae259f94d6c06cc", "type": "query", - "version": 411 + "version": 412 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -7316,310 +4189,197 @@ "version": 3 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "172c7bb001f289281c519a30ba17e66fad2c3a149e5493bc5d33d6253730f818", - "type": "eql", - "version": 5 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "3c672bb24b9e07004c8a40ebed60ab266f23360a5ff613994eb639fc5d98b97a", - "type": "eql", - "version": 105 - } - }, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "06f872b67e1eb6c769298d8362435abcb5d3cbec2d6484e626e95d8d0eebaa6e", + "sha256": "e62d404bc72c4824ece19d8511b0774af5e3f8d76ee8ef1b2f3928574cc900e6", "type": "eql", - "version": 205 + "version": 206 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", - "sha256": "b962ad63b2d98409b515c4dd3a06e95db517c9a7d1b13f171924c19dbaab563e", + "sha256": "c7b49a33aa48409ad6c0424ce6e0c390794bd4a8179469dcdbdb112ea343e424", "type": "eql", - "version": 3 + "version": 4 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", - "sha256": "be9bce91fdc93b4d4d344a66eeafad8e5ea7f5d9bd1b0fdea2aed5b7ba6844a8", + "sha256": "ff6883e922b3e8602e4f79eb77b1c57579dea418d7fb478a15a902fac384da02", "type": "eql", - "version": 3 + "version": 4 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "491014d84ab03e206e7acd9755d0269b2830a9b3f9c44913c29682c433c740a6", - "type": "eql", - "version": 113 - } - }, "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "46384078f361759cefe252f2ab0c88a0782b3c678d19dbdf8f572efaf67b2044", + "sha256": "a30cefb24486c640f76ce19fc5ed7ded0f5c44ffd5c244797ef0fb908e20f63c", "type": "eql", - "version": 213 + "version": 214 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", - "sha256": "44bbbdabf96190f26bace4b98f5c51ae42d1a21d7d1da27237875fa98e94a949", + "sha256": "d6aa1db723855233d67d799745af6f2ec942893699c7f7e61d2cdbe1d58350ca", "type": "query", - "version": 207 + "version": 208 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "rule_name": "Unusual Hour for a User to Logon", - "sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6", + "sha256": "b7dd9aaefda9d2db53abacafba3673397331abaf4429d8e497e3bab7a04a828f", "type": "machine_learning", - "version": 105 + "version": 106 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "181dc50d849f55bfcf9764f49f182fed0798673d7fa5fbf72be7656432884240", + "sha256": "96d1f6a34b0dd173e5d4a1d1610f7e0366e5002b73037aefd0398b409f826444", "type": "machine_learning", - "version": 105 + "version": 106 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { - "min_stack_version": "8.13", "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", "sha256": "f5789d775fa4739d37c91b2704142e6834659dfa48c0b2678871113ce335b642", "type": "esql", "version": 2 }, + "751b0329-7295-4682-b9c7-4473b99add69": { + "min_stack_version": "8.18", + "rule_name": "Spike in Group Management Events", + "sha256": "b7a9902b7df34c0dc5b0d478acba14cf7bf96f1d58e0fb914651add87b448271", + "type": "machine_learning", + "version": 2 + }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", - "sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1", + "sha256": "3d2af2714bbbeffdb60e8adcb035569bb1838ae97167c33a6b5934c72eb45cd7", "type": "new_terms", - "version": 108 + "version": 109 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "rule_name": "Service Disabled via Registry Modification", - "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", + "sha256": "839f6fa871a9122d800994ec195a366a033dc1c47d0c2faa230c053dedb9ff3b", "type": "eql", - "version": 3 + "version": 4 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "35c6e99bb87ba74e8ad015a7294177cb02da7be90c3c3eaeafcfc7be552d06f8", + "sha256": "ed79288161fc61c0493229d4ef61581b57961151497197cb9dfeba0fef3ceaa5", "type": "query", - "version": 103 + "version": 104 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "6af358d3be4d9bb00ef30bfd0dbcf86a28d3137bb9860f1f4798f16b397ca98e", + "sha256": "5893d3b6d416bbaea60c835f5d985bd58e8c620090ecdf205311b2f6d9a38094", "type": "query", - "version": 105 + "version": 106 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "e909dade063ff13866c5e0f93e3c21f803087e12ab2fec4064af1a3dfa872729", + "sha256": "64ded02369fba876838cac0481196c8d9cc8904ed20dd83810c02a4a1a37d1bd", "type": "query", - "version": 205 + "version": 206 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 111, - "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "4d4b321e49dadb001df32d6acd71103bd41b71124f92b855ea4335c99dfa105a", - "type": "eql", - "version": 14 - } - }, "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "a481e442047e2b0adc22745dfd2fcc05baaec9637cbbde9e2dc5b3b8f7eb0c67", + "sha256": "559eea3e8bea40d9b1a53f5ab721f08f67be0d8f066a2208764ef0b2a916e267", "type": "eql", - "version": 114 + "version": 115 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Creation of Hidden Shared Object File", - "sha256": "d821f3e5a0bf1e2dedce1bdaf15fe58785f4e47e81a99103fd0c35cb62e5fbf2", - "type": "eql", - "version": 111 - } - }, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "1a48028da247ad699969d0714a5b03ca294e28d99adad7b3fb9ada639aca982c", + "sha256": "e851da1e870b04fd2e2c93ba8968480d6a6da72d7d7ab2a2732906f0d54c7d30", "type": "eql", - "version": 212 + "version": 213 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "d7ae7c609b2c09df86e03eb23c9f3d9c19a114f3e9e69d99121828e0555ea7ff", - "type": "eql", - "version": 107 - } - }, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "e1e295f294c6b07c1e080468d6318856c5ebf7271e5bac171df35c63b4086c15", + "sha256": "d8a0de297ed381f899d76b9479ecbf599ed174dcda4a43bed0f713e033a659e0", "type": "eql", - "version": 208 + "version": 209 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "6a73b9f5864bb0ea366a745a9af576e7bfaf493b276693b044f5b5cd267ea68f", + "sha256": "e9164d9a3addb3121e4ca5d90bc89ea5138f38563f245bce1d756e8051b04859", "type": "eql", - "version": 11 + "version": 12 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "bb7f0c41faf746a3298480bfc47800f229539f64b5ce87b3bf40574b2c3dca0a", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "55e82b40384974580c7b1d4cba55767c941680a4032a373ba1346ff812d0eb3f", - "type": "eql", - "version": 316 - } - }, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "7b98f60a9095e9ab2e48250d69832e4648e68f34c1d3245986714e9962af987c", + "sha256": "1e265cb3a45623a266be2849268ae6a90d41b760463bda4ac9d402bf37bac25c", "type": "eql", - "version": 417 + "version": 418 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "e5462ca4e56f7f3ff1144cc8980d76abdfa350e122d9e02fdbc203194900825b", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "fa3eab2d298379b76f9013f4e96b00f215f422400565f4e592daaa3453aec8ed", - "type": "eql", - "version": 215 - } - }, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "92e73275ccad86dd30136bc621226630dc7342e41bd2362a9687ce807ef9be5d", + "sha256": "4506bec2fba03b7e296d1cfe622cf4ae6361b0775c5266a28bd97b9f9e39639d", "type": "eql", - "version": 316 + "version": 317 }, "77122db4-5876-4127-b91b-6c179eb21f88": { - "min_stack_version": "8.13", "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "4afa072ed68e90305237cd0f8aa0ab67f7a60db42826cb74af1abf9bc161cfa2", + "sha256": "f45a4831bf232979f639aa281d66aa6c24296bd62c195d82ac33e60c0ed90396", "type": "esql", - "version": 1 + "version": 2 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", - "sha256": "ade0c6d9a4d9740cdb0024f7c02cc8b73775f63d9be285e4692d87bf29938f72", + "sha256": "85be635560cafa457b1b92fb43bb67f146eeca918a20a0227edd8b82a29ab9b2", "type": "query", - "version": 103 + "version": 104 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "4c034f3a9c42c12be6b1a00041754822d517d75f23ddab914c20222cab8ebc8b", + "sha256": "50df0d37e6852de027590a950bb1fa6705582e113fff2c947ca6e46c6f05f1ba", "type": "new_terms", - "version": 5 + "version": 6 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "11fdb1469f92140db4557f4b11369477cd9bf511578238a7b6db0f4a8535243f", + "sha256": "e51927f3ba4b177d5d468bb2d7ca79af15177de99cc468aff4c790fe8b29fd75", "type": "query", - "version": 105 + "version": 106 }, "781f8746-2180-4691-890c-4c96d11ca91d": { "rule_name": "Potential Network Sweep Detected", - "sha256": "8a5ac1cfde0137bfe0b77af8bf27366b13743380010886e1e856396bd10d0f3a", + "sha256": "304b4dd7a272d0668180f4e04c1ac07542af3a8d74a2e9209df0d02489344094", "type": "threshold", - "version": 11 + "version": 12 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "edc1dcf2de6b0222d78f62e7eac490f5069a3917f49022d78a3b84b59739ac14", - "type": "eql", - "version": 3 - } - }, "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "b945c19be36ede477ceb6eb65ff7fa6d2271d7458820139d0bdd9ad8b8633143", + "sha256": "4dcc373ce46e6b39ab94875a341d6f3ba50f71ab86d16ead977d9515477b2b5b", "type": "eql", - "version": 104 + "version": 105 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", - "sha256": "7872d9e397306a241598eb6172a75adc0608f3f529798a8639c1e86810735b47", + "sha256": "5114c722228fa0043eeb7be5ce1cf9bfe74bee67a796189a304f9cb09bcbcc6b", "type": "query", - "version": 206 + "version": 207 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e", + "sha256": "2ec23393e932080ccff2a71dcb2212fe759113e95a5446562b90cfd235f53b70", "type": "query", - "version": 105 + "version": 106 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e", + "sha256": "167ba5dd0652fbf7c01a401852ad561451add0357eb344a5baba7ee059b1c853", "type": "machine_learning", - "version": 209 + "version": 210 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "beba3270fb78600264fbe41ac386fb2d7c7f6877563ed96e2b7ca2778bbd1b7f", - "type": "eql", - "version": 5 - }, - "8.13": { - "max_allowable_version": 304, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "29f77275c99c2a00e8878dc18a7448e25ad430cce3bdf957ce1ae1307622ea8a", - "type": "eql", - "version": 208 - } - }, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "efd692c82b20a2d4682c25d2683573ec65e8729402445a561baac25768ee5d1a", + "sha256": "6db14fdf08ce5642e4ad011eb87a15c07d9cb7977ca6294949d675861217cf75", "type": "eql", - "version": 309 + "version": 310 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", - "sha256": "72e26fad3c7116c755452d191ead805897c3c1d5c1bb5f815f437911da14931d", + "sha256": "c1ff4cc264a50ddd4081404f96f7dc5f0000709fc09b92873a78187eb5e275a9", "type": "eql", - "version": 4 + "version": 5 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "74064ff365e610605f23b1e89523fbb13694d5231cd3738b21ab8cf30c6d0e2c", + "sha256": "93e49af9c27b1d60bb9225751fe8b8c3885792d6917cfdc1cf3a3a4883a72e40", "type": "eql", - "version": 8 + "version": 9 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", @@ -7629,83 +4389,46 @@ }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", - "sha256": "26a1c9c9ec61e57e11380743c01f25a54a74cb7f580dde50a1a6d9d43e4f537e", + "sha256": "c1456f2ae5cff29eaeb0cce0f377e6c29d60c08dceb6ef0afc098d386f09202b", "type": "query", - "version": 104 + "version": 105 }, "79543b00-28a5-4461-81ac-644c4dc4012f": { "min_stack_version": "8.15", "rule_name": "Execution of a Downloaded Windows Script", - "sha256": "20eefdd9ff8232ef3a1fa07f945114c672d29e8d82279caa606c62c8b01eece7", + "sha256": "9230aff8470d6cf4f90ca1386ed2eda9416b1028b41d3e3b69304f8d26829e19", "type": "eql", - "version": 3 + "version": 4 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "SSL Certificate Deletion", - "sha256": "7c7dddf409d27c4336808578a23adad99b63a0ffdc3ca7a3651f429905241271", - "type": "eql", - "version": 2 - } - }, "rule_name": "SSL Certificate Deletion", - "sha256": "7e7cc3077f9f831c4c0bf8d8d0cbdb3ab9244f904d9ecc9698a4a1790edb925d", + "sha256": "32617e4dff0abf7061ff3d2b4d12500a685f83056e066c6a47f25ab6d30b326d", "type": "eql", - "version": 102 + "version": 103 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2", + "sha256": "9c936fca43aca7ccb50bd035d2791f6f70a214b7617b0a294eb1b151c4739574", "type": "eql", - "version": 5 + "version": 6 }, "79e7291f-9e3b-4a4b-9823-800daa89c8f9": { "rule_name": "Linux User Account Credential Modification", - "sha256": "5a7f10051702f5e7d5df4a9ef87c46469937ea744d94bdaafe32fc0a69a892ee", + "sha256": "3d5457a1e1848fa29d34ba094ffe10fe7c5cc76fe9d30413212320b7d5e6fa34", "type": "eql", - "version": 1 + "version": 2 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Potential File Transfer via Certreq", - "sha256": "c1f7d50618580187b015a4aadd76a9e484eb5bb8ce8143e052cb8118a678c4d1", - "type": "eql", - "version": 11 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Potential File Transfer via Certreq", - "sha256": "11dc705c82fee3ada817dbe4ff1e934ddeb2ba159d164dbb5a0048d92bc04d6b", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential File Transfer via Certreq", - "sha256": "0622888a853c207510e5f9385fd4b78d4d47616cd4c3bc8b7fdb9e5bbd0260b3", + "sha256": "bfad2d109380cdd48c204972f334d2b5baf646e4258ebe335ba4f5734c384a4e", "type": "eql", - "version": 212 + "version": 213 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "42853b04a39893088bdb0ebf5c479305c2f34e5352c3ccfa65ef5146efc6e8a4", - "type": "query", - "version": 113 - } - }, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "af8023c96394cc43f92cf51e13e0cacc0d93158f5241c62ad651a238d3c617c1", + "sha256": "aea6103c649566b86d760206b4068e6ae6fd79b7089c4263a54b78acb8b5dc98", "type": "query", - "version": 214 + "version": 215 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -7715,21 +4438,21 @@ }, "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { "rule_name": "First Occurrence of STS GetFederationToken Request by User", - "sha256": "3e8f2ecf0b50b7db1d4294ac9f9a788f8bf8790151183901e7829cca9aea5f20", + "sha256": "08b3d81be405a8875a182e5712ae452f2544b88406a0ae4f500ab95d599fed83", "type": "new_terms", - "version": 2 + "version": 3 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "820246c1236dd2cdd3601e1dd0c74c5f936f40ed580c2ac2884e7170b3df6d97", + "sha256": "bec75e8c0b3603e490940cd351016ebe62d5642cd2cf65154c4b95ac771296ca", "type": "eql", - "version": 7 + "version": 8 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via XZBackdoor", - "sha256": "f4ad3bfdce432ca539259b7d6fb645dbb26546156be5e35d397775fdb01408ba", + "sha256": "4fdefe2e1839f69559f9d5081c8716707b114961d7206f04b561f4f79885bf74", "type": "eql", - "version": 6 + "version": 7 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -7739,30 +4462,20 @@ }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "1ba40cb9f4c5c384f4d6b52a76eab02c45e14d33eb930cccf3fb1c329c7455f2", + "sha256": "11de4d3f24aecd5be0810b17a9d812f9a561e27988545248c3dd3177f1a83ff7", "type": "query", - "version": 207 + "version": 208 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Windows Network Enumeration", - "sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486", - "type": "eql", - "version": 114 - } - }, "rule_name": "Windows Network Enumeration", - "sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f", + "sha256": "6038a61b09d7ab5ae63c953af4d8f31d39a85a371b645b56e3e483c6acb1e662", "type": "eql", - "version": 214 + "version": 215 }, "7b981906-86b7-4544-8033-c30ec6eb45fc": { "min_stack_version": "8.16", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 100, "rule_name": "SELinux Configuration Creation or Renaming", "sha256": "7b361ea07b92064cb854e35573c5988af529ce6fb75a264cdd27ff53b0963e28", @@ -7771,71 +4484,51 @@ } }, "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "5760c0ff5525a18ed54b21f9e5b8b7b19658ed8831398454d1df210be1bbe591", + "sha256": "0902da6be66888532d94492f7ee2b1d7342d177fe1e885f8aa7542bfef4090b7", "type": "eql", - "version": 102 + "version": 103 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 307, - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "9abb27e289a572393ecc8c26044e5a71196cc1d77d152f84fbee7138251de7de", - "type": "eql", - "version": 209 - } - }, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "bb2e07eec501f5e296c694526b219607dca9e18bad1a4d862fd1cab9bac5fe08", + "sha256": "5186f9c952436a5f0bb6aacaf8f7c08b2976f1c005090f582fec7c0076c7164a", "type": "eql", - "version": 309 + "version": 310 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Shell Command-Line History", - "sha256": "886f6f210debfa8b2263107d6bb45787db17443c3f09f62bb792e44159dfdcd0", + "sha256": "d1fe9beb9ebec174ce52924ed1b92faa800b8807d35fcde8cd2396ebbfdaa7cf", "type": "eql", - "version": 108 + "version": 109 }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", - "sha256": "5640fd704ed05c227cd8de85371a84f00b0f3086b3a976bd99359b15b0b4d4ea", + "sha256": "1360c941fad7af1801c29e638ae840a9c2c4e580b1fa0b1e562d81acaaa978c1", "type": "eql", - "version": 5 + "version": 6 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", - "sha256": "0f41d71ccff8430c3787790e46370c3451a3a92f2faa9b03993b8fba38aee32c", + "sha256": "29c432e2d1993b5efa3dfee20d7c2db770a3835d45a40f704bf323de6a761714", "type": "query", - "version": 107 + "version": 108 }, "7ce5e1c7-6a49-45e6-a101-0720d185667f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Git Hook Child Process", - "sha256": "cbfd0389fa0ca95a4de245b02e374ee3f3a3981798ed207f5f5ceff7808d654b", - "type": "eql", - "version": 3 - } - }, "rule_name": "Git Hook Child Process", - "sha256": "3aeeab0a9f9e1baa8c36a0d3aca397ac0be75278ca1a51b60022819bf9ea8cde", + "sha256": "4e2958b093677ff51eaee56bae58af7d9fe3d0cd2fe7b1ca102b43b57bb03641", "type": "eql", - "version": 103 + "version": 104 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", - "sha256": "30dc79af79c7ffd88c47ce8902032f7d4088dcc82f73f4da0070e14257270520", + "sha256": "4b20eeaa2284d852cf288f367b2f230f725faddd11d3406d2714351a10daccf0", "type": "query", - "version": 105 + "version": 106 }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", - "sha256": "1382999f7d36996f9608126c6608707d9d695dcd3298755443448a1d81c27ead", + "sha256": "57022ea1da2b0446eb5c7b6e7cb3ef945bfe0f3232722b6a2f9366463f82e078", "type": "query", - "version": 3 + "version": 4 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -7844,204 +4537,118 @@ "version": 100 }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "7841db675589b43a0132206eb7b239ca46f3ac97ad9193dcf04937159707d691", - "type": "eql", - "version": 4 - } - }, "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "5a08a86502f4db05eca4b25e854f8f9be1f852325a962075dea70815aacf6764", + "sha256": "00eb92066eb1b732c6da3bae74c73476af5253c9270617a9d09721d9ff939299", "type": "eql", - "version": 104 + "version": 105 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", - "sha256": "b8c749e5ff7bf1d9f8abc6fb1344b7c34c95ed51c530c12986e3176da636d219", + "sha256": "d0fe3507f4ca2f87635d859a9f09da368cec3feea4269bcfadd9efdab60c1ce5", "type": "eql", - "version": 4 + "version": 5 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "1cc5185969e04329ea04aa4bf8d5d1e3a8d47fa9e0ac1f47e3012111ef6c91be", - "type": "eql", - "version": 6 - }, - "8.13": { - "max_allowable_version": 304, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "72222c6f6a422dc7edd2b2143a7b80819949cb1356894fe018a138774633fee6", - "type": "eql", - "version": 208 - } - }, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "1932d2c6a7574c3d3dcd32ba76e9193f88aa77d2be7e5591e0616b44a0172290", + "sha256": "ab7715f7413eee47a81f46fd1d8561666e98e2ac9f4e582b28bbb96481793f15", "type": "eql", - "version": 309 + "version": 310 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { - "min_stack_version": "8.14", "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", - "sha256": "e03b56ad3cc6e1d81845996b6bf137225573011b20ba352bde3cfbb18e4479f6", + "sha256": "6960188a6838e14ab0f61e0d8aca58f24b622db04e734c79f45d25cf7082abee", "type": "eql", - "version": 1 + "version": 2 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Security File Access via Common Utilities", - "sha256": "46ed777838914f516739b0d329e16d62457fc60aedd877440c7cc4022d7ed059", - "type": "eql", - "version": 2 - } - }, "rule_name": "Security File Access via Common Utilities", - "sha256": "6ba9893d93ba8852cad33b67e46d3ffda3bb3282cf04264efb77ba683e837231", + "sha256": "6a261351693f2910d304c01c16404bcf245cce50bd7b2fc16db067d603229705", "type": "eql", - "version": 103 + "version": 104 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "1fcee1562ccb772f6a7729303e250ead257201a219aa8ffee182b66f784076d3", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "a12e4767a30ca28c3ddc986cf3c77848cd65ddfce15fd96b7577dab2afff5122", + "sha256": "25326e4f5b59c32132e016015d5368e0009bd966467c2377e9d6c6bd0704b49f", "type": "eql", - "version": 210 + "version": 211 }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", - "sha256": "3e310759ffae8dd92e3b462c5c57e748a44ffeabbadd2510eda16addf05c84c7", + "sha256": "a3dfb342b3a65658c9ccb56614c06b0d4a681d7a2fad12ae5d2b1e73c453b0c0", "type": "eql", - "version": 1 + "version": 2 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", + "sha256": "087c0baee54995f4817d418eaf12e40aed48a6c1489cff2097589e685ae3936e", "type": "new_terms", - "version": 102 + "version": 103 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "d28a5fbf12cd038860603dad3a3f927b893dc2a624963063025cbec73932a4e9", + "sha256": "82e10a4a6bac1753ba174c80bfd5a8e994361af1ab0bbba59d1283a50e198707", "type": "eql", - "version": 16 + "version": 17 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { - "min_stack_version": "8.13", "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "c074c4066439731cdb1ca074f41712d8139ba7383e854e9990c3f5fef99a6a9e", + "sha256": "2b48ff4f4ca95dc0932903ccf91fa825967498fd03466dca90f7da56b6c11cee", "type": "esql", - "version": 4 + "version": 5 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a", + "sha256": "57d4491fae853593003a39a34775596a99944046c1b5bbee0021f997071f58eb", "type": "new_terms", - "version": 107 + "version": 108 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "rule_name": "Unusual Process Extension", - "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", + "sha256": "c4c7b35892175b1ea159f8b8be6770aaf3b8dd4f6f5893647dd4ca4e6b83a57d", "type": "eql", - "version": 4 + "version": 5 }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "1106414c1ef42b911e2c96ae0a545a86614b9a568aa9742419c22b0a71a0e879", - "type": "query", - "version": 4 - } - }, "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "f81754824afd09978cc7c486a795db468b2056bf7fad5883848582f85a47c031", + "sha256": "30b8ce25ea87f15dcf022a6645ac8027e2345d580dae994eb2acd48d58c4c848", "type": "query", - "version": 105 + "version": 106 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "SSM Session Started to EC2 Instance", - "sha256": "d0cfe0f7d2abfcd56dc76d693aba0e8ff89281385360ae75a90446721d5e85c3", + "sha256": "fd40b61bf6b4907f2a991f2c693116fb79417da2e7a87d5fb8fec41434892781", "type": "new_terms", - "version": 2 + "version": 3 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "f3e0f53c321d7760c971547d90245085ba16e37bb4a6cbbb16a17e495f180f1d", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "cd00aafb325b718b74940c08fcc167b018b79db66f6d2ecb94b54f5fd3a55d1d", + "sha256": "f40275bbd5c9de4ff3e18f669408bcaac80b362c4c45af2c7cdc29e950f892a7", "type": "eql", - "version": 105 + "version": 106 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2", + "sha256": "df9afa3a2b87fde182c347d474373bf5d7593dfef33ffb3fafb1c304d023d73f", "type": "machine_learning", - "version": 209 + "version": 210 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "e29105d1b78b1286a5636c653ea518672e193131ac622f0f3ee2de7f1d5e5528", + "sha256": "3d170371447ea0ae70919136a26912497111be7f8e2587724e3d9187e4608f77", "type": "query", - "version": 104 + "version": 105 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "rule_name": "Unusual Remote File Extension", - "sha256": "f79f2ede08c18655e62fd70d2fdd42a914f43a74abd5019f7356324fbcd96f92", + "sha256": "c50ae4bd7123f127cf196ea89207ea06d5d57cec07e2e45975639cc67ab042a8", "type": "machine_learning", - "version": 5 + "version": 6 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "fc4ff95d31809bdc72563ba4251142cb5a33e5239d3cb64a0b877a31f6ba05d4", - "type": "eql", - "version": 210 - } - }, "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "79d56380a744abb989063bf3baad2ba31b19b1d7ceb2de2be8234bf921051f81", + "sha256": "14bd3d2b8fbe92a7cdc2797d6c3758500f627da32cf00ea2013aa7edbd3b55a5", "type": "eql", - "version": 310 + "version": 311 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -8050,67 +4657,46 @@ "version": 100 }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "efc3d78e44e73f61be6817f00d4df5af584ce5e02e96ca5fb45a45d84d771116", - "type": "query", - "version": 113 - } - }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "446a5437935aff86d9b2c78df79189e0201a991a36436313898a59f7706245e6", + "sha256": "204836ecf090141a7ce6f22427cafcd072819be35558c18e9a57ac38aad60eb6", "type": "query", - "version": 315 + "version": 316 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "f3147338285b65e5fc2727bb5e244417230a438c509b93732c76fc659df7a77e", - "type": "eql", - "version": 10 - } - }, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "4e4089ee80c9f3fe5c661058d288082e4d02074f2e92640bf2a14b63fdec41a8", + "sha256": "3860e39b905280b24b9ef60f00c3721e5c06e0fb47399462885ac26ffa7ea956", "type": "eql", - "version": 110 + "version": 111 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "2f5d6142cc013635d4920ad40fbfb096e1071868dd0938460579946ebaa120b8", + "sha256": "7d7667ba59b9c301afebf1b3cb3e1ea6afeb26dffb350949dde55de93490daa5", "type": "eql", - "version": 209 + "version": 210 }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", - "sha256": "c728415c613b2f36c5c323bb7c97a17891786e1986c6e4c9ea1b69e3d1500099", + "sha256": "02907aafba1faec5a22cc7b29979c38a9e8852e0522fe85eab86ff6b1757f9c8", "type": "new_terms", - "version": 2 + "version": 3 }, "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { - "min_stack_version": "8.13", "rule_name": "Manual Dracut Execution", - "sha256": "dbd9afc54fc7a771ed98faffa779d382c2b1962cedf84ec2dd45606550e37857", + "sha256": "c523faf1e2bf19eb5583982820e9dfc0d542a66c608a9c9d26b3e067594920fb", "type": "eql", - "version": 3 + "version": 4 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "04a9b7b77bc56377bc4686132f269a31dfa92ec833decf61aeb4cee3277ae5d6", + "sha256": "1d083b3e9c0d4729d76becc5b9c35bd63b06ce34c8d1231cb9aca96b9091dd3f", "type": "eql", - "version": 9 + "version": 10 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "b04ed2cc0d2afeab9a1e5ce21f7ffe90acbd75940c93166660e2d41abaa39070", + "sha256": "780c553e131f3efd3e7f8f4f5bae752918db0a7a8dcadd8a5d60b253e0f81191", "type": "query", - "version": 103 + "version": 104 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", @@ -8119,147 +4705,88 @@ "version": 100 }, "83bf249e-4348-47ba-9741-1202a09556ad": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "d97f88a21e5ef203f235aaa22174e05b7a3af6d503f8955c63fbad955ab56a5b", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "d452c13b253efe39545cb5208cb8dcc730eec15c3cf732e06e875f95f930d0a7", - "type": "eql", - "version": 103 - } - }, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "bcd9044616fb4c41c855119819ab2ed72243d4d248199226a9d6287def186883", + "sha256": "8d32414e17b60480401cde9e5641a08a4879461ce3a99ad077cbd55c592406d1", "type": "eql", - "version": 204 + "version": 205 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "6662212297b3975808144113e634d7165b30280989ae8729d7cd570603f52193", - "type": "eql", - "version": 10 - } - }, "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "549c19f864332988b6fb45817a74e1dab49339388224f5b36cdaf30d80d21bda", + "sha256": "a7718f54232363448d1e8ce1154fb5be10937c5e77273eaddc2c624c684d8735", "type": "eql", - "version": 111 + "version": 112 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", - "sha256": "01513b5293f4ae3276aacd57b67b38b4957f57cb9447cfc9e4f4e580411b6677", + "sha256": "b637272fe03f96e017bdc06e73f45d6ded605eb115092cac29ad1df05a36f219", "type": "new_terms", - "version": 4 + "version": 5 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", - "type": "query", - "version": 7 - } - }, "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb", + "sha256": "0e4a0d1b1267db6de31046c4110ad9f3a234e98b3b8c8e4788ecd7152c14452d", "type": "query", - "version": 107 + "version": 108 }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", - "sha256": "b00d2ec654af8f1f110f648f4094160b9ef9e812d8eb7980b94e0879c40ad211", + "sha256": "3706ec2e66b25b792ae3b733db12df64acd74928b26924b84549ec2ef23e2807", "type": "eql", - "version": 3 + "version": 4 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "5add5265cea65ff564e6f374b8d963ea6af326fbed8d8d0b3ad11829c55033e6", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "559158e7c30d5871bbf29e70aef9a1d8def80199a6ab18a0f76d1363c713891c", + "sha256": "140969a34362916a883624269ed764399050254896cbada4f7f9ccb375b0b299", "type": "eql", - "version": 105 + "version": 106 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "ed8b2a515385353dbfff6d484b45000dd49af48e2b5abc8e44406fa955d7225e", - "type": "eql", - "version": 114 - } - }, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "0aeabad8b6360ffeb8fa1b4e1f3b623d7b0ade5cde31301f7321c1463ec7fa9c", + "sha256": "edf42ed07ded615a3a46f30d30d60fa586248e7c52cb50d2eb9ce86524ae8a9e", "type": "eql", - "version": 215 + "version": 216 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", + "sha256": "f5407d42946533acfbb89d76c769e45a45c0ce41f7ec6b56a3d23ba0ecbbdd0c", "type": "eql", - "version": 111 + "version": 112 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "361cf289449891a5a01a599005a112612693f0528651e2fd44fd291e2fcf9481", + "sha256": "ac46232cd8a07f592efe7c70698c277912d411706305744115ab22d393758ed3", "type": "new_terms", - "version": 211 + "version": 212 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { - "min_stack_version": "8.13", "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "3ca0053a517e206cbd88cae6c14ed9398b99f6ee5021cef8d89c40b9a66ba4f8", + "sha256": "6cff007db5728eb2fa39503c634e1ec87b3fe96f1c6c546c006ff8f19db4dee5", "type": "esql", - "version": 1 + "version": 2 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "8c5a7758239101b15cc23eb4fb35a783f8e692ad99783c3801a074cdcd98e637", + "sha256": "4dc7cf22fd4e2eb84f6fd206ad36b4ba60d5b1a1d8c539c37a77e4a60738a39d", "type": "query", - "version": 207 + "version": 208 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "AWS RDS Security Group Deletion", - "sha256": "03916533d138f82d6ba43073f971d26e8c8fc154a5722bfb56b1bec42cb8f26f", + "sha256": "695166b21481758a661706d6bb714f7bf41f23d7f08967b0c5eef7eb041ab8da", "type": "query", - "version": 207 + "version": 208 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", - "sha256": "aee9d293bce7b42db112f783b52ca95f4c163851cb39f56542873a0caeb9f9af", + "sha256": "9825bb01f3241f6ac0aebdbc9eb43635073a874c0c1e278046aa47aeaca177da", "type": "query", - "version": 207 + "version": 208 }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { - "min_stack_version": "8.13", "rule_name": "NetworkManager Dispatcher Script Creation", - "sha256": "183f75eab447dce4523d4f25e514acf26cfbdf05b137fd5a3fd9eb1b968d86ee", + "sha256": "f903ceb4dda2f336616823d20e50e202419cac9bfa5db9e8afc47a657099add3", "type": "eql", - "version": 2 + "version": 3 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", @@ -8269,37 +4796,27 @@ }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "rule_name": "Security Software Discovery via Grep", - "sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78", + "sha256": "fa11500ca8e13a38f7d2124cc026cc19f4ffe978a306c701649dbea953f8e33b", "type": "eql", - "version": 110 + "version": 111 }, "871ea072-1b71-4def-b016-6278b505138d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Enumeration of Administrator Accounts", - "sha256": "f8c272cacf74e41908905fbe517ec45ff817e7a6f81d7a2cc3997687c84ad708", - "type": "eql", - "version": 115 - } - }, "rule_name": "Enumeration of Administrator Accounts", - "sha256": "b50e5bd6eb867aa0c8f17a52fb8f577cdd31f5d5f75f4be9e1d462d4222d22e5", + "sha256": "9f6e228cf8f124d276d6d929c5e92310d193825381fa65dc597850cacf1b2cd3", "type": "eql", - "version": 216 + "version": 217 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "d1b4160bab5ee676bf3eab50efcb4bff6b9ca03017813d404ac83b5d429c6e77", + "sha256": "6bf9122ffed23311d0f4795c988cff5e5c854721c891c00a074621d9baf3d59b", "type": "query", - "version": 3 + "version": 4 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "5cb776ec175c443858372adf34644ecc3edc4f4123ab3f91796ab08fa8d0d162", + "sha256": "a613710349ff1d084ae7070da260f7d30841bc61d2895c8c353ff06a9d5cb04c", "type": "query", - "version": 207 + "version": 208 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -8309,66 +4826,45 @@ }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { "rule_name": "Linux Clipboard Activity Detected", - "sha256": "ca936e7322accdce60e6973d70b3e164506cb6fb04d87bbe28ee8f64c9eecff5", + "sha256": "d4b606516727e2779324cd41aeb9dad7e278700008ccfaeab6ca5e37c7a18a5a", "type": "new_terms", - "version": 6 + "version": 7 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "23ada8e36279e7e1d4e063b07f108194166709b11de778959bc24e7eff2a55c4", + "sha256": "38491f25fd85e2a9e6048987c53e587c6f8d8066f51cd6bc79308090df6acf48", "type": "query", - "version": 207 + "version": 208 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "8ac86f893c189972849c3353f5d53331a7a306c28b6f10c8bec469d634c86757", + "sha256": "4068b19fe7f360ec2bef8ccf67fb7e68cb5eb35527af0a15d7d3772034f3f12a", "type": "eql", - "version": 110 + "version": 111 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", - "sha256": "67beebb88fd866d0c58a2785de107b2bf8f925d18bbbdd790906734f21a39f7b", + "sha256": "90b72d8c701b10ef3de66af28431567e8e4477cdf260c26ed742f9daaf42047b", "type": "eql", - "version": 108 + "version": 109 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "8809aba8865764ab7fa1c657c37778c6657378dc4f2cfb4c6127be5e794149ed", - "type": "eql", - "version": 109 - } - }, "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "53a213d8996a7876b24f56a45cbd4b7f95f660de24ee6058b95deef9899d84c9", + "sha256": "9447123a8ce16d65128ff84905c2fd90fc68822ecfd54e1cf46db3104fc3dd31", "type": "eql", - "version": 209 + "version": 210 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "e247d1c92d0054f5c3a3d6aa1d7d50053e63ec57610f92bf623e1c665d5fef72", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "097ecbe7691d20f9769066582286b7b4cf5089fcc6870e7167267a94faf759d8", + "sha256": "aed24b791d5423d77d9536cb51f7b9c08dcfd3f51ab23f72066f11b19cc2e4c9", "type": "eql", - "version": 105 + "version": 106 }, "894b7cc9-040b-427c-aca5-36b40d3667bf": { - "min_stack_version": "8.13", "rule_name": "Unusual File Creation by Web Server", - "sha256": "8cae8e72cd21c891b3a56fb7489a1dd3047402b91600b8407a06bd207d353617", + "sha256": "732a93ab6d6daa1086a63da134d506495a3cadea1735cb440c16b783d825a918", "type": "esql", - "version": 1 + "version": 2 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -8377,139 +4873,84 @@ "version": 100 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "7120f5e967222b6743edb0bc495b3453b4d26dc1f63088bff68607f6220e8b59", - "type": "eql", - "version": 111 - } - }, "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "14dc4752088817761b090bd9e818c960db21258c4ce1aff3ce6e86dbe199d127", + "sha256": "4725b483d6e67ccf641c9f663db165031a69e6e893157adfe4156da5a175d9c1", "type": "eql", - "version": 211 + "version": 212 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Command Prompt Network Connection", - "sha256": "95c1cb5499a597411e4e3b7103680f9d8fb49cf5fc8cb6f354b9483142545adc", - "type": "eql", - "version": 109 - } - }, "rule_name": "Command Prompt Network Connection", - "sha256": "f36e46aabd03a9e82d6e55f6c98dcd0a0f0ae620cd00b0ba0f21e7518a759e2d", + "sha256": "eb1483881589c4c843b93ecd9c5fdcdd72da99e3c5ff968763eb7d06c9b2aa1a", "type": "eql", - "version": 209 + "version": 210 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "4eeb21145663f19873a7b259f2aedd9a858885571f911ca166304d52bf4a49d0", + "sha256": "dc64810b135b8a11de3cc4b6bc24b02a35e0ed34e775b6b5ddf207c556d277f4", "type": "query", - "version": 107 + "version": 108 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", - "sha256": "01e31da74d8f38ddf237a4320f398fef3afaf986bbf7a614926c91d52717f21a", + "sha256": "780a3e06d58a2868f159b6864474a64288a824822df7a3bc9879930ced1ee193", "type": "eql", - "version": 8 + "version": 9 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 105, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", "type": "eql", "version": 7 - }, - "8.14": { - "max_allowable_version": 206, - "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", - "type": "eql", - "version": 108 } }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "d84240158ef05b04877fc81e2d2f50edb882cd77a53b137f7598c54e84ca5879", + "sha256": "95fb79b2b06097ba835e7dfbe9887ee507ce3e85d6d128c1e0709969d43b53f2", "type": "eql", - "version": 208 + "version": 209 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "GitHub PAT Access Revoked", - "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", - "type": "eql", - "version": 104 - } - }, "rule_name": "GitHub PAT Access Revoked", - "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", + "sha256": "8a3478a230e32f84e1fb760252ec2c432637fecf6725b8fbc9b42235e18e82db", "type": "eql", - "version": 204 + "version": 205 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", - "sha256": "79396b5a9e555f97305570bb4e88f328ca55471768c325f8cbfdec62e20c30e5", + "sha256": "a29965c488b35962be8692c73778a5245cefbee2ba37307889c9098eb1adca46", "type": "eql", - "version": 106 + "version": 107 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "cd861b1c03ef17e10978c9c1e342be58e0362cd9eef31c85cb7b40568cf5fa52", - "type": "eql", - "version": 109 - } - }, "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "ddcebc2310acf9c6471b9345d63edcd418123b3e163cca09175bc75defd47755", + "sha256": "9a5d09bf9a470a0d5eaeae1fd7ac463771a28cbb36dbd781c0ff1d346b14f01b", "type": "eql", - "version": 209 + "version": 210 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "47bcd8271a1bc8780152afe19fa834ab97946e9cba47bcb65d819e92b6625fba", + "sha256": "426e0c59d207e407c04c445d9c2f45a5eda151130a48bafb2d4f770394196bb3", "type": "query", - "version": 411 + "version": 412 }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { - "min_stack_version": "8.13", "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "2eb13bc908da7bb2301a0f62d0860956cb7aa1d99d970bbb6e6d6b32dfc428ca", + "sha256": "03f56b09a89aa6f20191897a7615dd8d4d56f49fa89d6eec7c97af44e87cff7e", "type": "esql", - "version": 1 + "version": 2 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -8518,131 +4959,77 @@ "version": 209 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "2753a4670d4217cc050e838bf5a7f4843db23df0caa83fc1017d346297e4922f", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "f2b61c3ff7a9e998f71f19335af6dfe69db48ae9d7098fcf270a3dc44ec4fb48", + "sha256": "5cbe8414697eafe8668ced1dd361a8483b2dfff2bbb34a73570d5570f9035b7e", "type": "eql", - "version": 106 + "version": 107 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "79486f56c33d6afd1cec4fbf8dc404d0f0e9fc38b19572051d537f800d601ed5", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "8706ffd6a46a7cdbd2b6400c609ec39bf1f1bf833ecccf2d71a38a9316b96ccd", - "type": "eql", - "version": 210 - } - }, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "c15790a8f71b15dd684b959f65fa22034a2fafcf821c26c0a2771f727b0c088d", + "sha256": "3ba862ecc39b1bc5a3305c400db104a657f92b3c1579e826743143756a2aeac5", "type": "eql", - "version": 310 + "version": 311 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "91cdd11fc144f89b569a54e7275f2028a431bf4b3f898c924be4ca038ed1e1db", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "10276d358882ef3da69495c0a49a1a76d8f27b5759699cd6abe910853de7d0a3", - "type": "eql", - "version": 211 - } - }, "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "5e8971df8497f0c448f35992264db5351dcb8c2fd6a7a53ed18fea0eec89b727", + "sha256": "71ad0cc6716e639f94a60f4fd135864e039d1e3674efb1a62561a857dd81056a", "type": "eql", - "version": 312 + "version": 313 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "38bdbda8e1ba1c0aff2f02b3f46c2fc694a92e6a4dfc7244cc948c3e38dfc8ef", + "sha256": "7afb5ec70e44fadcd6f05962257f1756ce430ed40253d9fa9cf83c376d852720", "type": "query", - "version": 103 + "version": 104 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "084b9ec33eedc1699c7dd2f8b5c81771300c6f944ca3fe5c5cfb7039b474cf43", + "sha256": "7b0f73277fafe2a7e9460563304174104d60a5a9be23f37a3e5cffe3a5403b73", "type": "query", - "version": 105 + "version": 106 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "911e718531c11fae196314f279f6f059a3a14dee38701be164c18c20a69be5a8", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "684919ee328c12075a6ff89741a91ca29400e405462c9ae06ea7003439680d37", - "type": "eql", - "version": 213 - } - }, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "867b10d1207fb72a4c80df7516090d981653a229fe0961a03d278b07a8e8b269", + "sha256": "8f780f6e71f099d01a9a350f50210462a3c72e8ece846715837ccf84e135ef6e", "type": "eql", - "version": 314 + "version": 315 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "dd976a4b62d0afc39c2d7af53056e456bfe88f3261cde76fa6df84e4948cafd0", + "sha256": "6978be5503e498c6b5d974fe34047438d0b32373f29d1d3f087a89ecd455731e", "type": "eql", - "version": 109 + "version": 110 + }, + "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": { + "min_stack_version": "8.18", + "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", + "sha256": "e97adf35918df54588ba2afacde94427c96a6626eb362f042083fd429afc3847", + "type": "machine_learning", + "version": 2 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "cf387e78a1d52b36974bd4933ef7d56730af702385f9a128c2d39cdbfe1334e7", + "sha256": "2011f6739abbd03c4369c3fa7727c0657b1f67a5333d12dd0d202ebdee66f918", "type": "query", - "version": 104 + "version": 105 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "fb77d08bdc9f8ec6a12b4b74458cdc27ffcecee0c8497e4268cd82cc72685eef", + "sha256": "222d9f4f866f8205bdefa82e21a7e75345545d48eca0e16b85775d87d81f870d", "type": "eql", - "version": 12 + "version": 13 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { "rule_name": "RPM Package Installed by Unusual Parent Process", - "sha256": "528868f65a9cb81c8c4c131dd0d3f9550a95750bf358c31cf275b4585365bead", + "sha256": "ebf1fc23f66bd33cfb9f95903c1231ac7febba950f0cb65f9e4b72e01bfdea4e", "type": "new_terms", - "version": 3 + "version": 4 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", - "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", + "sha256": "31d39495fda1da820b2ead7ceed083db3a4867aad910fa852cd3f86b672508ec", "type": "eql", - "version": 3 + "version": 4 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container", @@ -8651,122 +5038,64 @@ "version": 5 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "b3457a5fe20b9065c1d9ebd5a8629e04c5ec7633c1976306c1002925a7819bac", - "type": "eql", - "version": 109 - } - }, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "5c75901a24944ea9bb7731dfa441ca4c2e49cba2cc2cf98c4bf84dc0fb10506d", + "sha256": "b46ce75d4b5285052780771d56a10d17495be23417da04a2e33f12cd699ab7d4", "type": "eql", - "version": 210 + "version": 211 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", - "sha256": "b8c3f70d8170292a5f9e3cacb2cee9106f06c4c8f11a83ade3fec287cbf5aa0d", + "sha256": "d130fcde15618575db6ce21840f7e0cfca6bb8fe9f3ca2711cc6e724afc98805", "type": "query", - "version": 103 + "version": 104 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "cc8123040408a5a7b8824468814a4a6152edc5a53ce52f8d4a21411633b35e12", - "type": "eql", - "version": 5 - }, - "8.13": { - "max_allowable_version": 203, - "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "c3e58264f54e251fc042b772277da53c784ead76674487f0c33c678b7dd0a9b5", - "type": "eql", - "version": 106 - } - }, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "523a79457ebd120192055f51dd87edc16265da30254315d5d7fda6729362e1a1", + "sha256": "6c590e22b3bf842a1c5ed864fcd7f17d3a1914754d773dfed217dece6604912e", "type": "eql", - "version": 208 + "version": 209 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", - "sha256": "428b39c4182e10ba307e2d107d34845ceae5b7f6f1e2f036872c3cf1d8cd70e8", + "sha256": "d3e96247267c80aca5541d7ea40db8cf0f759f4f72c481dd9018b6a4cdc6befa", "type": "eql", - "version": 4 + "version": 5 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Bitsadmin Activity", - "sha256": "96da24c5865af45e8f97dda18459a22901c821608d0882b14b8d21d20c5db1f3", - "type": "eql", - "version": 6 - } - }, "rule_name": "Bitsadmin Activity", - "sha256": "b26871ba275b05a8a536baa79c0e3200e9624866b75d442ef29859ec0e3574f9", + "sha256": "5a22500f4235f79358efc7e14a78c1cc2f9277528fb7f1b51a787876b6be357e", "type": "eql", - "version": 106 + "version": 107 }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { - "min_stack_version": "8.13", "rule_name": "Unusual File Transfer Utility Launched", - "sha256": "f8716bca394f674cd16c413cffed7862bb3e4038a525c750adf70d3d2406ed09", + "sha256": "4a62370cfc587049f09fbea9187d079e3a0c9a468b837b32b3c9fecf24a445d3", "type": "esql", - "version": 1 + "version": 2 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "b3f6fd62337753431592f0b819d7b43364bec6c27449bda2d19dedddedc22d07", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "4bc16ba3becb47c564ddf8155c01f3fb0d4c5ede2cb27e19c359d7d715b65a25", + "sha256": "b1c08ef06553de49d280478f611fcbf2d0c5088849a6dfeccb0dcea88cd777cf", "type": "eql", - "version": 105 + "version": 106 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "d66c39f3899393daf54a7c7c7bda79a52b0733a1e71b07e84a34707b1f8806bb", + "sha256": "f19a8ea4c823b71b9cad347564053ae295481396987d48c40285b765d71f5136", "type": "eql", - "version": 109 + "version": 110 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "fcce93128b54c854991bf62a7016a112b1eae5e6fa8d95fc7f0ce183c1695e49", - "type": "eql", - "version": 108 - } - }, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "c4aa90522a7d5aa3b88d0036b85d17990ea683e84e7567bc8c9393ae0bc21e42", + "sha256": "bd6281ad9d5daa64d0e8bb01c18047d44555b88f41f0a59a268b8dcab935ee20", "type": "eql", - "version": 208 + "version": 209 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", - "sha256": "2f1fff6789d5ceaa58f36f5b239347b6b2b5b222f513b7cc186e20a943add449", + "sha256": "3de6da90bd1ec62ae6b34bb6589136342b6316b5504619e8db31e83dacc47576", "type": "query", - "version": 105 + "version": 106 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -8775,70 +5104,40 @@ "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Hping Process Activity", - "sha256": "58160571062e081d702d11bf00b07b9ca2dc75b7463e22d6eb58eb8c00ac7ae2", - "type": "eql", - "version": 109 - } - }, "rule_name": "Hping Process Activity", - "sha256": "fe079acfbd59f33d0829da92c4e2e587c3f846c53a875510463da0438f0c4a0b", + "sha256": "e230893b50456ded2a1b2e4710dd259802969dc215bbb43a721460915a741a10", "type": "eql", - "version": 210 + "version": 211 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "ca9ec7ec6260dfb4afd6121acdc3f0f01cf82233de4bd473e0a4832ea5cca846", + "sha256": "e383c2a951f0a85ad3bb25c169dac91f081fa39737cc969637938c47dcb87adf", "type": "query", - "version": 207 + "version": 208 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Simple HTTP Web Server Creation", - "sha256": "4717868c8d8d29e5d6f9a575a34fa4d179d67b8a82e17f838845ba5c125ee114", - "type": "eql", - "version": 2 - } - }, "rule_name": "Simple HTTP Web Server Creation", - "sha256": "df11460970a3eeb111f933ea0c48401c916e8f2f9ba35b1c8595a215b624242d", + "sha256": "dd350d040fe0e49fada71ba5b97c03c11bfce56c2f131fe618b11df799504de8", "type": "eql", - "version": 102 + "version": 103 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "fb943bd48a4626d7013516e753159b40fdaad0d3f64f572bd223b2716a934d3a", + "sha256": "a272f64a305b370066111000482c3a460baacdd2ba99ade9f5b564755ca3a3bd", "type": "eql", - "version": 110 + "version": 111 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", - "sha256": "8a707b2cfb834a2d23665ef675dd27767b712018c0644349a3554c04840138e3", + "sha256": "30230b4761c830e2c3fb248784d5e1ca5406bea3c656110bb3369128936aa5a3", "type": "threshold", - "version": 1 + "version": 2 }, "90babaa8-5216-4568-992d-d4a01a105d98": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "InstallUtil Activity", - "sha256": "e5667b196187758d6237ff6bf5f23a6f6e1aeb96192193c9497c622982907440", - "type": "eql", - "version": 5 - } - }, "rule_name": "InstallUtil Activity", - "sha256": "d3506c72c7907f32e455ea418eabeca0f6cba286dd09633a0ab16fa9b324c357", + "sha256": "71e2f18922be0eb033a289e1e9d24b430e5f6321047b1a142ae472a2e78c63a2", "type": "eql", - "version": 105 + "version": 106 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", @@ -8848,234 +5147,133 @@ }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", - "sha256": "68e536f0bf403b67ca5e6c131af272ded466e96597d6d4394eb00ccc60c05692", + "sha256": "568a6aa17b76db8b4cc68b807a2d24db3e7cb5380b2801966b0229c1b5811e75", "type": "eql", - "version": 1 + "version": 2 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "139452a8b12f147a4c17f5b13922c44d88f841f111f7b4b06d4aebfd151c7061", + "sha256": "a4f8df494d1db756cfb187ea70ea02cab4519a6db6a04aea1b0a8b0751fc36f2", "type": "query", - "version": 105 + "version": 106 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "eadf846c26261704cc3fd68f5b83bf44f04f3b41d1c3b6392df97969cd66a749", + "sha256": "05736cd01141801c41b014ac1f199a56c92f3969ab56f11c8b90aaf46242fb11", "type": "query", - "version": 207 + "version": 208 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "c52af5241e23b6ee752b9dc026a28a1aec7357c7f102ee305ad6447d3ea619b4", + "sha256": "b78bf809101faf51650c503b4b05c3b28e79638af8853d4147c9328a8a6f1667", "type": "machine_learning", - "version": 105 + "version": 106 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "594a91f74bae3a825e91e973e29f5c443e2bdedb09b4e759c751c5a25aa63b43", + "sha256": "ab4823467da259c26bfa8130eb8eb5894add6ebea8a142ec2da1dc70be3ee403", "type": "machine_learning", - "version": 105 + "version": 106 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "1460c1764afdd458a0891c83634804634714ece5f9e22aac3ad9c6bb91cd4351", + "sha256": "774a5d8ea6b675aadff3d054ced850106b004b109c7e7ef49c38ab3cc972aef4", "type": "machine_learning", - "version": 105 + "version": 106 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", - "sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb", - "type": "threshold", - "version": 2 - } - }, "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb", "type": "threshold", "version": 102 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4", + "sha256": "394b7f0854cc8051511cd71d604dc20a1d6dbcb4dc789490f3ed240b823ef4f0", "type": "query", - "version": 210 + "version": 211 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "A scheduled task was created", - "sha256": "b1fa6b0fe20d2fd8ffedb8e8b14ef7d3b57c533ea32c88b2841028986b3bf6f7", - "type": "eql", - "version": 11 - } - }, "rule_name": "A scheduled task was created", - "sha256": "249deafe81ed265426800418a9a92b7d725e73e8f846b33cbcc9f4055e6b220c", + "sha256": "85e1811330c72410c17851704dbe26c59f70067c705845ed3eae6b8ba5be292c", "type": "eql", - "version": 111 + "version": 112 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "b0a73c7ef98e6c64fd9209a4d9dd91fd447c52af2d20f698ea91c6b7221d922e", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "9e98be89300ce747f2919cfb437c25751c974c69e9de7111a7de7a59bc9c493e", + "sha256": "e93565e0ef8d52552e56ec0fe44d871ca72f64cc3309368d673334585e009a14", "type": "eql", - "version": 107 + "version": 108 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", - "sha256": "dcc381b0ea011aaffc99fa2552210fb9bd8cfae3fcd9a246033831836d4f5f3b", + "sha256": "f1157f9dc0a2cb2eb50d474cdb9e5a32c0600f71e362a5bf1301aadf800f7de9", "type": "new_terms", - "version": 210 + "version": 211 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "c31135dc17960a856d35663ed054d09eab76047d10a86f30f4cf5b8ec1a7abe0", + "sha256": "642e0aeb68ef89094230c8ad3a123f2b8690c39b6839fb16c211332af9b02014", "type": "new_terms", - "version": 206 + "version": 207 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", + "sha256": "34e0322fec5484b8a4d1f8e590227163d0b4be5cad05b986658e21fdb088be02", "type": "query", - "version": 209 + "version": 210 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "2ff5b58315d4aee44cd2bcec8d5026cc4e7770e3bb4d906ca2489e2385babf3f", - "type": "eql", - "version": 111 - } - }, "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "55c655f3c81ec5fc6d674e2429a40bd0ea00235f4ce1935765a26941a143cde9", + "sha256": "aa9adc5952f0cfe6de1c19dd92591f7f512aa0c3ea942b60a9dd96acf370a9b1", "type": "eql", - "version": 211 + "version": 212 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "de92e4d989f9d5610e757c673fbdc4c456231b4ef81e7f4504698b6c264f9962", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 410, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "d85365573dabbdc204f56fef122dd591e689ffd34004f20d74d2c47e2aa4ec5b", - "type": "eql", - "version": 312 - } - }, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "35de6ffd8fbe84e6ab25ad60ed8b87c3a2cc1e96bff7daa9699c9e6123acbcc9", + "sha256": "568251d32660f6ac5ab0bc50f9c487831bc480b7d3cc8451b90a2f2462baad2c", "type": "eql", - "version": 412 + "version": 413 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "3f4c25d945ad4aba614f5d74a31c515d8284fc201547404bee99658f5e3c7919", + "sha256": "35604d04285d0530134b6145050ee7e0491f8bb8701636083250e68acb1283e5", "type": "query", - "version": 206 + "version": 207 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "2915057dbeddaff7f8345d24e40dd53ec41319b7192a27d93e593ef5eee6a45c", + "sha256": "b7fff2d590e63f71f45e72379fe8e5a6978373ec1a5507aa951489aa4a45b539", "type": "new_terms", - "version": 205 + "version": 206 }, "94418745-529f-4259-8d25-a713a6feb6ae": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "16145a1b22661ff2e88c9e1ba07836862628630beefcda649d52f876480530d4", - "type": "eql", - "version": 5 - } - }, "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "b5f2d2b732ed56124dc1f618c8aaa4a1b035b3af81246aca47b16d675c5888f0", + "sha256": "972bf2c87a226e9eca32bdcec9a0e1831a5d2a2daa6cee8ec3bcd4a5142a20e6", "type": "eql", - "version": 105 + "version": 106 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", - "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", + "sha256": "d6120a5cee167490f241f052f292d2eb902750584dc5614e1c1de3cb5c04943c", "type": "eql", - "version": 3 + "version": 4 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "46c457a7a1a2443ebb06f362b2f728a3fa9ea4f0c6261d4bdc32a7de7e92ab6e", - "type": "eql", - "version": 12 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "3bf1f307ad367938a343c262bcf271d1e172a74528f40a5f70364cbfd688a804", - "type": "eql", - "version": 111 - } - }, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "3ca2f8aaffac020eba3dfe8981e8cac731522b3d81551575b2e84370c8c9c9e9", + "sha256": "bb10cc4be5fdee49086851941a3077f1a296b74a1cdaa2159c5e843d5acb2fee", "type": "eql", - "version": 212 + "version": 213 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Client Address", "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", "version": 4 - }, - "8.14": { - "max_allowable_version": 202, - "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", - "type": "esql", - "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Client Address", @@ -9085,81 +5283,43 @@ }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", - "sha256": "e1f81d655b8ff56cdc39629ce72312cdebdea19e417e5d8a2f82631bf5a3bd6c", + "sha256": "0ab1df4b05b8c4f156f9ce6e9f585546883d3244918fa123455a5801b1b11947", "type": "query", - "version": 107 + "version": 108 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "30e9709aa596d9469d905ec6593683478b4eeb9a2d40edb724b0c2e5f1ba6bd2", - "type": "query", - "version": 5 - } - }, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "d44b1b9ef878285d8dd07da49ecf77844b4892d271d1ebd4ac6631939dd3857e", + "sha256": "b722ccbfa7ecaf20260ac487e76dc4f3a7610c780fb1376ed3b5d8e0335287fe", "type": "query", - "version": 105 + "version": 106 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { - "min_stack_version": "8.13", "rule_name": "D-Bus Service Created", - "sha256": "f49342d2753a20175c2dbbc0a575357ee2a7bbc665af3267b73778f6270b6bcc", + "sha256": "5aef963f73d96df60417b5ddc69b1357a9bbeb134342841dc67a359cc2619079", "type": "eql", - "version": 2 + "version": 3 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Remote Scheduled Task Creation", - "sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8", - "type": "eql", - "version": 110 - } - }, "rule_name": "Remote Scheduled Task Creation", - "sha256": "555f7495d3ea6078d6af2f97c818cae349e64b883f0521ec5b62889f19a47c7a", + "sha256": "24e6101eefc878fdf6b6890b48c1e73d7e146a2be051e66dfeea360710f9627f", "type": "eql", - "version": 210 + "version": 211 }, "959a7353-1129-4aa7-9084-30746b256a70": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", - "type": "query", - "version": 110 - } - }, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753", + "sha256": "add4de7f1a673948279ad565918605e1abec3d054ec1f8e2123d6138d5b8d18e", "type": "query", - "version": 210 + "version": 211 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", "version": 4 - }, - "8.14": { - "max_allowable_version": 202, - "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", - "type": "esql", - "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", @@ -9169,9 +5329,9 @@ }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", - "sha256": "433032becb5c8020450493b9158692e4e8e93ce81f820b25705231f2942dd2bc", + "sha256": "f94cb36fb3032304a8a812b77b36345d6628249429f37175dedc7774c6308f96", "type": "new_terms", - "version": 2 + "version": 3 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container", @@ -9180,90 +5340,68 @@ "version": 4 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "File made Immutable by Chattr", - "sha256": "61a885e5fd8caa58db1e46f7ac46a9212cb60f45987a57654e44fccf0044273d", - "type": "eql", - "version": 113 - } - }, "rule_name": "File made Immutable by Chattr", - "sha256": "38909ad9aefb85b3686d7ce1ad51131ea6f34ac9a0f3636eff945237ca572566", + "sha256": "8e9265eb725fbc9cbd78e2ddbaa06ef6c6c7d173b6a1a3692ac2f2ed04ca63f2", "type": "eql", - "version": 214 + "version": 215 + }, + "96b2a03e-003b-11f0-8541-f661ea17fbcd": { + "rule_name": "AWS DynamoDB Scan by Unusual User", + "sha256": "aaf46542fbcb34571e8f78b9a8c92673d698c8b999185366bccdfc446c67eac7", + "type": "new_terms", + "version": 2 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Attempt to Create Okta API Token", "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Attempt to Create Okta API Token", - "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", - "type": "query", - "version": 310 } }, "rule_name": "Attempt to Create Okta API Token", - "sha256": "72dc3ad1b6b20812a65c1e7f6cc607abd7f61572f341de9e3914d9355437b4e5", + "sha256": "489c9ae7c2fa3f0f141bfbc5ab7e7f5a37c532155de68b91f94844eda3b158cd", "type": "query", - "version": 410 + "version": 411 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", - "sha256": "d242e9b768158e113d5b497903704bcf3417ee47dc9240caed8322566a25a388", + "sha256": "f5b2df6d2f50c42e4777d0b69b05dbad45f72fbe850047768826a54365938143", "type": "eql", - "version": 13 + "version": 14 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Access to Keychain Credentials Directories", - "sha256": "c3a49d1a72ee8b083f42d9a80d3bcf96dad353cf2f1d2f4b1167a6236afc8780", + "sha256": "2185ba74311252c304b4d98fbdf6dbd4505834ee6a3084cbafe02f5361646909", "type": "eql", - "version": 209 + "version": 210 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "1a312776aa0b8db999e00c4e025deb6da554ec3738734de8d788a6e8c2d8b957", - "type": "eql", - "version": 10 - } - }, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "fd2dab81de38537fa82851e66cba9cbe80121418b4151135a71506229f41bd19", + "sha256": "a80f11dd293aec59405281a09f81510b50681e172e082bb17dbdbe01b2528c40", "type": "eql", - "version": 110 + "version": 111 }, "9705b458-689a-4ec6-afe8-b4648d090612": { - "min_stack_version": "8.13", "rule_name": "Unusual D-Bus Daemon Child Process", - "sha256": "047f6e5a12bc33a0db9822bfcc4d9532eb5bb20f261dc8d5d0a6b9d335db1175", + "sha256": "49d8afd10f60504213c82db2b422ded06f2e0b370b728b22dd25d90df9f8743e", "type": "eql", - "version": 2 + "version": 3 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "996edcf7b84f597c5b917b95706acfa718b8b78ac0fbaaa24a1c9a164374d32b", + "sha256": "fcddc79a3bdc5f48f706865670a212c510fa7291c56bdf51b85d3d95d3e702b4", "type": "query", - "version": 207 + "version": 208 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "a68596e0c8c08057fe0d449a485c3024b5c19a131d0f8e73a91070d52b2aa5e3", + "sha256": "b54b02ac7c0cfd7285fbfdcbf9c14df8bad642933fd50be1c14c392f8378b821", "type": "query", - "version": 105 + "version": 106 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container", @@ -9272,63 +5410,38 @@ "version": 3 }, "976b2391-413f-4a94-acb4-7911f3803346": { - "min_stack_version": "8.13", "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "65425366319a1036000c5b118c93b8838f7357205eb7f98d09811cd3d417fdac", + "sha256": "1dad36b18396f9a0d6d07cc7dbd269695ae3cc9faacf1c65028dcf44a834a95c", "type": "esql", - "version": 1 + "version": 2 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", - "sha256": "15acaee88ae03f37d33254f0274ae68eeef32455fc96461fe20aefd88e49b24d", + "sha256": "5613fd191d38a8f826e650ea7bababb9333e46675b2e961e7cdb32aca9bcd0c2", "type": "query", - "version": 208 + "version": 209 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 311, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", "type": "eql", "version": 213 - }, - "8.14": { - "max_allowable_version": 412, - "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", - "type": "eql", - "version": 314 } }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "31c83a49dd77cb7c92b81b820392ab0edaff0810927f55cfe52754a54a43a48a", + "sha256": "56de001290a7d0ff4af426ec57bb2465d9992c151f32674086eb6b0f0663b8b2", "type": "eql", - "version": 414 + "version": 415 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "89aac019d039da3e9cc8d5a90ad24c527336df5dcb17667cd41e0bee861b36af", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "81d81d2a203cc3c331a1a84c28d088567742339d61e0f33dde9e1035758db531", - "type": "eql", - "version": 317 - } - }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "8e2d7ddbc2af722c230fd0a23e1428cc5fb0493d0382e9e124410a5087628899", + "sha256": "bc3f58b578de1bdc830726d2eae772aa81b012b7f6e6840b177bf70505d7021d", "type": "eql", - "version": 418 + "version": 419 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -9338,9 +5451,9 @@ }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "d48ba745542ab8f019a9ce68e2eaab1e0710585d16c354744c59767f24e825ee", + "sha256": "96c8096d390a598ea2cb90ba8886ccccfa08f7558171199f173ece55a2d4d8fa", "type": "eql", - "version": 8 + "version": 9 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -9350,337 +5463,177 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "814a1903fe60035acd9815188db701fecb3cd77f622205487cbb5dcdd5895034", + "sha256": "530ddf6213cfd29631549bab034db0adf19a8bd5ca23ebe3f8658218a075adb3", "type": "eql", - "version": 114 + "version": 115 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "sha256": "9af59876aae930d88fa37449a4e391434ac253a1a3a68a7f19aa8142681af396", + "sha256": "042fff441edf847d8d6b99db794f25bf1b17e794ff4c5a1bee971ac1dd253db7", "type": "eql", - "version": 5 + "version": 6 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", - "sha256": "c07414c56696bd71465558933f65566b033635cd7cf42419eb70a7695eddf4ac", + "sha256": "c34e876395c7b115a12a54f8e64f3bfb446708b8836422c7e59824a29d1618b4", "type": "eql", - "version": 3 + "version": 4 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "71605f19bbfc7c7d7b38c3c938e25db98327f11a8597bfc3707c0b7936fc407f", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "701bf23c547307a946220bd3957b0adca6d9935dc5ddd0a2d59e97125e3cbd06", + "sha256": "70a141bf6d5dd4b53dfb85baa6e3c0f1a03bd85460747cd99dbf7c43c9d0387a", "type": "eql", - "version": 104 + "version": 105 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "8f278d6cccbc4ea629a93950010eaec7cf14434d52853ef5918623c532fa1fbf", - "type": "eql", - "version": 5 - } - }, "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "52f62bfbdb63f99ed6802e2dd419d04a89be011d0af0805d94a0e58280834400", + "sha256": "3c52d743c5f86369ebeddd7ebab239f60ed0b1a8075efd96efaaebec0f94c300", "type": "eql", - "version": 105 + "version": 106 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "2df4707335bb89c170cda8fb27a189ca2e1da3b0a558637041354bc560f3c934", + "sha256": "e08728b9a4a250bf9f1af0851f942612177bc3f473665b575fe48b587e907d7d", "type": "query", - "version": 105 + "version": 106 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "193707cacca422693c80b0f220dc512aceef3c53ab09b92a266c678eb5066f0a", + "sha256": "0cc8b2c75c4f67088b466de8a02dc8b85b888d8e45c58172cb22fb4e90f9b649", "type": "query", - "version": 207 + "version": 208 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", + "sha256": "68b44f8cf342f499981d1f02153e0d1159445c3243578846f6febc69766647c5", "type": "query", - "version": 209 + "version": 210 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "635f24d3547bdf9acf3c89fcf9ca0a208ab9c5728c280fb1ef000066cf7d0b15", + "sha256": "a0bffa98b85b5302f04968bd516704fa0a3f9b1d3c9378af798ce9ddbae69612", "type": "query", - "version": 104 + "version": 105 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "bd112fd50317c61508bf7617e01f08695c64588de6801c39f7c6bb6155cdbebd", + "sha256": "07be235c7dd98da00051b5297ff49ffcf55224865610cc49ef2ae80b4dac856d", "type": "eql", - "version": 109 + "version": 110 }, "994e40aa-8c85-43de-825e-15f665375ee8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "f9bab10027d4eaff5c7cadc5613cfdfe2caf71917f01c2298779b3693e458905", - "type": "eql", - "version": 11 - } - }, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "aff8ce3c97b8657b94418ecea700cdbd08933e40dae51fc4cac6978e212ebbae", + "sha256": "ff28e80159f9dff929b862a3b082b36bab422e4a397573be0ce8a7e3b8bcf4b0", "type": "eql", - "version": 111 + "version": 112 }, "9960432d-9b26-409f-972b-839a959e79e2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 309, - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "d1a480f7832f8712d06096eb7dd3d5ff5ebd8c57a23ccb530abd85f8523c12ad", - "type": "eql", - "version": 211 - } - }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "c655401d4db3c1c8925fad88f4c58efa5897f96092a4eb5e5f39f19ee391aa73", + "sha256": "1c31c99f9ef70bbb05811088a045934e699ecb42b86d19a20925823553f5259d", "type": "eql", - "version": 311 + "version": 312 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Access Control List Modification via setfacl", - "sha256": "59b417d5b2a03bba13ec5f3948f8dea5787846aa669acafde0f1edf8f4c9179b", - "type": "eql", - "version": 3 - } - }, "rule_name": "Access Control List Modification via setfacl", - "sha256": "265d70cfdc84fddd988dbe3b110c25de72fe374209a1e78e667c309c70c3b13e", + "sha256": "fec13f106027f80845d52095abdd5957c75f6156358719383c61a2c95e579b15", "type": "eql", - "version": 104 + "version": 105 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Web Server Spawned via Python", - "sha256": "590abb2de8685e9ba6ac1bb26b5ba6e6799b404bca1b24fed7d7e3c37f8f4452", - "type": "eql", - "version": 2 - } - }, "rule_name": "Web Server Spawned via Python", - "sha256": "e40443f15069a79c93f3af2ef411178ce68866881149524dbc2a1822cecdc3ee", + "sha256": "40e5e54bb2c6ab594fd18eb0a9a771678ed5d2ac0a0ddb3334f253dd65635b35", "type": "eql", - "version": 103 + "version": 104 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", - "sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964", + "sha256": "f9969960a5e08693c16fbcd7c0b6fd1f0cf16c81dc2d48af48902028919019e6", "type": "machine_learning", - "version": 105 + "version": 106 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { - "min_stack_version": "8.12", "rule_name": "Endpoint Security (Elastic Defend)", - "sha256": "30950c93c8eddc61c365791e8c2b74e80d7890fcc2f73f740c5eb9d5481f3b4a", + "sha256": "f97906536045e8a37072e35fe3dd11bc159ba1f4a5e694dc791bbabb26e5ff2e", "type": "query", - "version": 106 + "version": 107 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", - "sha256": "4f561717a25dc92b70f5d5b880397f4622d3d9795ea086ac8c70373878c3bc51", + "sha256": "88b128e1492a41140c22f156270d3bd228b717e97d37c8cd718f1c1c236a7053", "type": "eql", - "version": 3 + "version": 4 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "957303ee184b536fc22f9671dbb2ed19527c497f148615b01ab438db8d2d1748", + "sha256": "a841b25a9c5ca7ed8be704802bd4ebc96b9db3e18262d6a5ec6539bb26f1d458", "type": "new_terms", - "version": 210 + "version": 211 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "dd9f2215be389c33f7a237f9116f9ebfcdc92de051c6babfea314a2664c84bd0", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "a2a0a26741e33b91efa6e94308f5e4734607222ce87fffcf03ad1682e63fe624", - "type": "eql", - "version": 210 - } - }, "rule_name": "Suspicious Explorer Child Process", - "sha256": "e26c452a699c5910201336b89c6df67ad2e167129b2cad1f19a687282dc07362", + "sha256": "767a247a17d7f488ec953c0b00654ee87e48e20a7fdecb693b33584dd8366f1b", "type": "eql", - "version": 310 + "version": 311 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "a89728e7de28de1f41f89eae6884b7434dbd8f948cd682f6a0621a4cd7027067", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "bb878ddab8423add89b2fa6d67e8fb17d61aea08318d7adcc5f16859511228ec", - "type": "eql", - "version": 211 - } - }, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "bb1dc73390bf4205bc5518949d88f85a8ab64938716323d47e6c8a36817c07a2", + "sha256": "5efe0175858db799cb86835bf76cadfb54983b0348cb5e39d4c7a155c696cc77", "type": "eql", - "version": 311 + "version": 312 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { - "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", "sha256": "5261d7a8d3df0f503139f70be2c16478f9da435dcb45315321b70c9f0136c973", "type": "esql", "version": 5 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "GitHub Owner Role Granted To User", - "sha256": "161fe9bc03f0a9bd845c1f1a27a75b057d54285240798bac0af9d268896a8ec6", - "type": "eql", - "version": 107 - } - }, "rule_name": "GitHub Owner Role Granted To User", - "sha256": "17b30931a90a1e2a268c89b8ca1c50d33a9ad847cf40b03526748115fa47df6f", + "sha256": "fbbbcf42d72cc9678593f3cb1cd52d8ca8140c07465150b448d0586331f2b009", "type": "eql", - "version": 207 + "version": 208 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "1ca4124ab56004a70f6da7a9a4d37c4f17b4b6f6dae275a42b309b567ba942ab", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "84f14d803c60917b6e0fc1ed345759a7a8cba6fcc2cb04ce790c8f6f410b8789", - "type": "eql", - "version": 214 - } - }, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "7813df08730563638f4d24c630eaa2b5dfa818903e6017334b38afc51984e497", + "sha256": "287f6ac5a52ff4383a691416c5eeaa3ba88367394dc92853b803e535bc0ebc63", "type": "eql", - "version": 315 + "version": 316 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "c58dfc5733f3e65bb9059316a9300d38db530be0527fd7e64e37af99dfd2d521", + "sha256": "97874993b0c58b51d4cf8b92cc07103dabced133d989df2f285d76338a58dc62", "type": "eql", - "version": 6 + "version": 7 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Hosts File Modified", - "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", - "type": "eql", - "version": 110 - } - }, "rule_name": "Hosts File Modified", - "sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b", + "sha256": "dbce0ac372cdee0e86c1fa79185c79ba9a678d925893a5180c2488477bf75437", "type": "eql", - "version": 210 + "version": 211 }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", - "sha256": "b351f332d2ee0c37576188cba134e30d7fc288887cfb5247b494162043ce2343", + "sha256": "41e4144827c330aed22e9fb3410630e482c9710e2911c5980314189fbe90972a", "type": "new_terms", - "version": 2 + "version": 3 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "16a3342d1003ae1b974b870f7a8388dbc7041f06704202c476621831405e4ad9", - "type": "eql", - "version": 11 - } - }, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "13c9045416c8248f845b761d980512aab51c64c5413e295c18c59953eb5438e9", + "sha256": "3ce6e57836a8e47fc2bdec74bdc1dee3810fe88c14ff946e80ca852b6017cc09", "type": "eql", - "version": 111 + "version": 112 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", - "sha256": "a5aa8f87141efb58c5a9fc040430072979a81838fc6185b652fc5d08cae05ac5", + "sha256": "014ebef9bcc283ff37e34247a31d54f04d6c13164349890ebb9cfde745730c09", "type": "eql", - "version": 3 + "version": 4 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "97790052feabd6d8d92049481818933f920d5128b459958b23b4f454788e1926", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "b70867b53f9047d648a74ee785fbfb344461397ac17e24dfb7d85c50b80bd906", - "type": "eql", - "version": 211 - } - }, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "d16970d52f5665857e15296e8ce24758baf698ceafc64a1ac5355b5c221c2692", + "sha256": "ae63679c14f66942cb097cb9188ef25304a304ec2f8300918436a4be80b688c1", "type": "eql", - "version": 311 + "version": 312 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", @@ -9695,280 +5648,136 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 310, - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "c6feee8b5f84305767251a5980243998d9d4ba2743ad9874895791e3fa10e948", - "type": "new_terms", - "version": 212 - } - }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "c42cd52eb73933b7ba7eb1c1c25bfca2e8215a4e3c8f773c16584bfd38174c1e", + "sha256": "953a524b0b3d91c85ecc2a3526664151677da8f53e3148cd0262132eb8f2f95e", "type": "new_terms", - "version": 313 + "version": 314 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "3bd8a686c90d2b907e79cb8d81ba383c30178ea847082f7fe1759d803be174af", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "a5612eb45ae24f371fdd1a61b1d6c0ca308cc2c8dc2fab9ac4bd95b6f32b8fc4", - "type": "eql", - "version": 213 - } - }, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "3c4a04e50ac49b7af2d68bbf893ab9bded4c25fdb56571258a632a4a4a0bc7cf", + "sha256": "88d77a212036f8bffda65aeacf7d1a4d770b17c85276000ca46dda3a6b49ee95", "type": "eql", - "version": 314 + "version": 315 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "1658b389087bc7cd6ee91ffc89a1714168b562dd44451d4c4d6f72702036b9a4", - "type": "eql", - "version": 114 - } - }, "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "ba5fd2330dd1b6032d2553050acd7351a5e7cd9c1f74152c0fc5a78d0732b6ae", + "sha256": "5c18f5e2e17dbb223ce2164dba7a0bf20c596fd35aecdc39d6ba908321229f47", "type": "eql", - "version": 214 + "version": 215 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "0bb18ca3b493310ba23b616de3d39cfba94773b53140eafec03abd781a5897c2", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "aef7f15ace1ec416d8e85249577e2301f49840b905843d141189269d3f904f75", + "sha256": "ee7caadf9e57096bf55162a61c21bdd5591ba6cc377d489e2aec823816bd1ccd", "type": "eql", - "version": 211 + "version": 212 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 313, - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "fdb27be4ce2b9a135b03186611685488a9d4a989738c3edd28687e83b9f7e349", - "type": "new_terms", - "version": 216 - } - }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "0a3531614c20fc9734ed5511346286cf1814c660d2dd86e7ca61b414d1052ec7", + "sha256": "9fe199019b52e009894e09df47891d15855277603433827428a795daa3afff31", "type": "new_terms", - "version": 316 + "version": 317 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "6e08e0961e8712e3fa798614ceba20842f1fd9e78569f3efb5b0236bd2ffaadf", - "type": "eql", - "version": 108 - } - }, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "93adb711b7a1ad99c4215e7623c63eeeb35de931e53749d3abbbe7aeb344d334", + "sha256": "97111ee5914163f12e353b1cf1d6fd9cd0f38495228862bbefbd9eeb3f79997f", "type": "eql", - "version": 209 + "version": 210 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "bb77fb9e3e5e133ea5abdc232b19de4477bc18cba743881e80f0c4be6ac96c42", + "sha256": "bd25f67aa2f26ef04d210a0f6f7ce2ecd81c54bc633bc29d2238358f4aa29ff0", "type": "eql", - "version": 108 + "version": 109 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "4ce9e353cd70a52c2d7d94beb8a05952a35ff6c117689d5ce2d9a7da5af011aa", + "sha256": "b8784aef89568400787b3d0995bf9a1de920f87adc2b2044ac9e5250247a0c08", "type": "machine_learning", - "version": 105 + "version": 106 }, "9e11faee-fddb-11ef-8257-f661ea17fbcd": { "rule_name": "Azure Entra ID Rare Authentication Requirement for Principal User", - "sha256": "5d5c0a0d20bb041e22f4d97a3c49b1e687c2381e75e1b707e7e85c4bae6c4b5c", + "sha256": "24907196a67e425d158aec2f12eb18d9cd325c82900a25cfdd36cf2f3ac04194", "type": "new_terms", - "version": 1 + "version": 2 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "aad06c86f00fc49143d2b0b6c0f3b27380ed7eff0b3cf20193f5338fc2ea0a9f", + "sha256": "89df536f5b25ba25214b381670e72f779c1f1ec53c648b8536dad34296c4825f", "type": "eql", - "version": 3 + "version": 4 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "3e4eea02a43d60f58a4be4bea2a88713ba7724676b52851025572c1bbe451d5d", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "41e4276d49f03093af17d2254ee773f8643d1c0aa8b8ac61d01ccefd7bdc22e8", + "sha256": "5a8e8bb4d6e8f39e3c767e4d2a12e9ca51ca278ec993a2e15c272c268ad3a487", "type": "eql", - "version": 212 + "version": 213 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 214, - "rule_name": "Potential Credential Access via DCSync", - "sha256": "b5ad0d7ace8669b1eea8d9a58c38cb027d236901af048b6f308e8b921b7fb4a0", - "type": "eql", - "version": 116 - } - }, "rule_name": "Potential Credential Access via DCSync", - "sha256": "a931d7b18207e55bd0c94cf0011568c27d08e2cfafba8ce17542ec209e78e426", + "sha256": "3d2bedb8dbe52bf72ea2bfe034fa4420c6f8c3fed4f3481a3d313a586efc696c", "type": "eql", - "version": 217 + "version": 218 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "5d7f431713626a4dcd90230cc90a452231a2f4f09ce222c8f023205f6921b8b3", + "sha256": "3d5effea9b0d9b9442ea373b0d86c76173820c14dd31b612d5a9bebb0b451677", "type": "new_terms", - "version": 212 + "version": 213 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "7b2b92f74b503fc18cf5ef70b93536fbb877f88952c072c944b062b3f8f647f7", + "sha256": "68f61a54191f15c1261c898f36314ca4cb967b98ff74d0fd37320e1c69f85198", "type": "new_terms", - "version": 313 + "version": 314 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "A scheduled task was updated", - "sha256": "24db103856c5596c20cce21e7e92ea1d20a82b95691be3b31c7718f15984c193", - "type": "eql", - "version": 11 - } - }, "rule_name": "A scheduled task was updated", - "sha256": "dd983fdaa73edf71a2cc567f3fa7189cb995df66ceb66751f6047036d45700ea", + "sha256": "dec73f37882fe3c00468033b180b963f0dcc1dcccf01e546a42b2b79ec68f6c8", "type": "eql", - "version": 111 + "version": 112 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "fde760cc52775ecdc228f7f4fc26b42a1d1040d4732aa51f2942e21d16c00820", + "sha256": "a2c350073531eda06404ae20beae25708733193fec7b72b8c359420653479b9a", "type": "eql", - "version": 5 + "version": 6 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "2192b6dc1346c8016c7f7e18d0e4def61f38a7359cb4c665235f7c7a35d81646", + "sha256": "cf6ae9f715cb5ea3c39f4d96c9987d8b1e11a5fa75ccbf24b93b2bf7ce263e87", "type": "query", - "version": 106 + "version": 107 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "009c0f45c6d544d656f91b1a17dc4ca36d2fa5cda90732b95d8cc0840b82684f", - "type": "eql", - "version": 108 - } - }, "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "3826d8c2ea0005de5c96f492c5dd896a58db738ff754a638c848dacf6514d220", + "sha256": "4f61d3eb44f8b3e1680e5f53ee2af54c5ff18458a3463e9f240959a1828ea00a", "type": "eql", - "version": 208 + "version": 209 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "File Deletion via Shred", - "sha256": "cb4768e9cc77383814b6bf126bda3c193dae302c4d755159f2ce1e4079e49733", - "type": "eql", - "version": 110 - } - }, "rule_name": "File Deletion via Shred", - "sha256": "6cf3281eed4a567e7fadf7e7a60a25d32be3683088852fd6cac2b340214c17d3", + "sha256": "feb29e526f2204abcaf760975ba4dc9cd13b9324c9d062cec0a74b1cfbf0b969", "type": "eql", - "version": 211 + "version": 212 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "5fa1a396391aee8e4f152b75cbd71a7944b0a4850e20e3496a5de3f463d46031", - "type": "eql", - "version": 110 - } - }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "2e3cb26c1d0f253e34915465fd896789a7056d7faeafad6435baa712f4d4358c", + "sha256": "f5e7edca07f99dea285c4edeed73b5a44f86dde34547e824a5266c22b6006dd2", "type": "eql", - "version": 210 + "version": 211 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "60b4da3686af1892886ef1568adc3da363b41fa02069a8ad5f02c1f13fc5e375", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "a95daf1b60dd955c84fe99495d627e26da5f8c3071938bff985159d488d74b35", - "type": "eql", - "version": 109 - } - }, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "ab452a27753833a9982fac9a2797499691153c3fcc51357315acc246796bce7f", + "sha256": "d3397ec5dcdac6ec80a54a81487ed63355411e7df782e3ae9e7fe4f1a14db365", "type": "eql", - "version": 209 + "version": 210 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "1c1a346a5c44ffafc16e7a28a4703248527b03dd10eea79fe823ceb5a035ce73", + "sha256": "1971789adad6e515416151b5792e33fa9a4cf64fdce9af7e3fc076899ad5683e", "type": "query", - "version": 105 + "version": 106 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", @@ -9978,107 +5787,70 @@ }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "93ac22092606053c77aa4f701b17b858a8cae516565cbcfb5a34494b5ade35e3", + "sha256": "363670cc032fbd6a35b0fe945458705e5d35877c387db8b9abc5a7c85f135148", "type": "eql", - "version": 109 + "version": 110 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", - "sha256": "6318c4dff530e8b0d50c646549d60a859ca4d6d4881dbcc94e3b5c26620390ce", + "sha256": "f72b18afc4bfe233b1e640f183215f1cec65e7ad11c124be03b8d46ba1de3d95", "type": "eql", - "version": 7 + "version": 8 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "06f788f98600e28f36873cfa890ce266317a1b101169c481fb3099d9c0e35eae", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "db4b51eff904ef0ef94f2e68fa3ac4e7e64a9bc8c6e03af8a426537789e233c8", - "type": "eql", - "version": 212 - } - }, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "ad7b4900548730f045e3b58898846a5953e28138ddc81ea4b2cb5e8f7bc4f30c", + "sha256": "faf336b6ca7cfae7df2acf5404511e10beba52740c7434f0042023acc001f5c0", "type": "eql", - "version": 312 + "version": 313 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", - "sha256": "9e16a6d58c5f5a677f1cebc91183afdae5a7ecdfcce34207fcc6f62f65367152", + "sha256": "25d29a23f09950c3413dffbfe3de61b29916474a7e22ba124d13d36dd8bd2638", "type": "new_terms", - "version": 2 + "version": 3 }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", - "sha256": "bfb7eddaa9656dc8832f4d1a089450b5b180a6620a1dd22d601c7bed17c286de", + "sha256": "ac8f88233a774a1b9653200a673481d3f4979114d0cf4d64652d156fb7525193", "type": "new_terms", - "version": 2 + "version": 3 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", - "sha256": "5398047ac13fd35fd8a4c69163e2abbbb71741b093655d3a18a002c62544c722", + "sha256": "e09f132a61e78248c0985ea31087cb472c5afcc13d0bc9c839a8fe01e82990bc", "type": "query", - "version": 108 + "version": 109 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087", + "sha256": "e1facc452ccfcc245ef3f50b13fa5f913f10e2880c7241c776df5034b5f34860", "type": "query", - "version": 109 + "version": 110 + }, + "a300dea6-e228-40e1-9123-a339e207378b": { + "min_stack_version": "8.18", + "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", + "sha256": "bf90d5f51fb39e5f57e19e4773bb64baed072b90cc870fe6941712cda65ae86a", + "type": "machine_learning", + "version": 2 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Execution via local SxS Shared Module", - "sha256": "c70b5b61b3ea697efa1bbf34aede51b77d26f0af37f29414c403967c589fa37a", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Execution via local SxS Shared Module", - "sha256": "7f90a2bcf9eeaff4a2dc027ec117964bf311dedcbc86cba03a8615c9780c68bc", - "type": "eql", - "version": 209 - } - }, "rule_name": "Execution via local SxS Shared Module", - "sha256": "0411088910bff1036ccad0a0a7e3e47b669f970b76031d73843f1a6ee00aa168", + "sha256": "8dfd2089a94c68f6f98efd6d32b55308a9b7b1125d343ad0e64d3df972e45c8c", "type": "eql", - "version": 309 + "version": 310 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", - "sha256": "17e90233a68416b545e9ec60b945d558eea63b417eebcda8d046984ca667b87c", + "sha256": "1d90a08a37464262c54504cffadf25b8444faec72634d6250cec1bd61b8dc4ba", "type": "eql", - "version": 2 + "version": 3 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "286b04230e047bb8f027f8d352ff9cf1d299235a13c6cac5631f289389314181", + "sha256": "f411eac70f276b97d882a93968ae23599a3a6a93aff1b8e32a7fdc4583003e2a", "type": "eql", - "version": 109 + "version": 110 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -10094,15 +5866,15 @@ }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "CAP_SYS_ADMIN Assigned to Binary", - "sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84", + "sha256": "5342f9618bbfefca7ac662036caa8aadf6fd6e0fd949255ea2b36ad1f4849c98", "type": "new_terms", - "version": 2 + "version": 3 }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "rule_name": "Potential Reverse Shell via UDP", - "sha256": "dd7935aa4635611792001b36012fecabe2d6bbb0b7a8cc2f80a706b7bfcf659b", + "sha256": "963c0bb0d55c196143cd45ea2b308dfbb9cd5277f1918ecc371fb14a6dd743b9", "type": "eql", - "version": 8 + "version": 9 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -10112,15 +5884,15 @@ }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "9b292d485484c3753314bef6df52ec945933baa8293f6967b3f4a326ef8daa1d", + "sha256": "eb3790e4a7ba8906adfed13f99e823964d4d4dbf558c99156a5a0f1b9a7e0eb6", "type": "new_terms", - "version": 210 + "version": 211 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372", + "sha256": "0d86b960d20feba20d79ee25c9f9aa562c19dfb4879ae78e020459f782078538", "type": "query", - "version": 105 + "version": 106 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", @@ -10129,110 +5901,83 @@ "version": 8 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "5c80f53958876a026ffb64b1eeee262e9fc7df01ceba845b9e2d9690744fc22a", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "bb2821c8c28461a976dec059fb9da7427ebafa6082a3aa9095dc1b42eabb8054", - "type": "eql", - "version": 214 - } - }, "rule_name": "Suspicious MS Office Child Process", - "sha256": "a68523228ec0fc453c23646ced21d0b57a3417cebc9b74d4232992adf3b96a38", + "sha256": "98afb5623a1228581b9214ad947c048d563e6cbd3965600973b7479bb3f950da", "type": "eql", - "version": 315 + "version": 316 }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", - "sha256": "b597402a792a29e82c02d56787dfb0088afb24fe4681fccf800ec8ff10a08a10", + "sha256": "bdd2715fb7a9c3f4d83571791536de28eec316ae4c33488698b360e17280ba48", "type": "eql", - "version": 2 + "version": 3 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", - "sha256": "3ca5c9a41990306c9c1425b02dec89fd7cf7f677abf7544f50a0a7f6d894e9f6", + "sha256": "47f9aac54e4fe7c1d6b99cf3d18d923f52c0347c88d2dc8480fc062b6d47291a", "type": "eql", - "version": 109 + "version": 110 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "rule_name": "High Mean of RDP Session Duration", - "sha256": "16d442bb0e68cceb100b590cd99c27126094ef873e1557bc0494c33f672351ba", + "sha256": "4a25312234d5821d645719593d2558a91df62ae0ae2efe3fa469dda24cdd036c", "type": "machine_learning", - "version": 5 + "version": 6 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "1a8db1f12af5f8f6acda01d02bf1f7858b64b591e8cc97e80b1f821fd01b136b", + "sha256": "7c8f84f11fd19709acf3708a7c09f18104021c4f47b4462f8478cb07aca0a4f3", "type": "eql", - "version": 114 + "version": 115 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "f94eed7bd541165126c32c94597db40548996aafff6604d4461961c9daa182ee", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "b114be44b544deba03a1417c2ce3c4a5e94689f375f28e7a41fefee718c6c001", - "type": "eql", - "version": 212 - } - }, "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "341a50ecd0f4ebb8543687abbf979227065c91bcd013a47d4f135107b26ecf89", + "sha256": "e6699654c24bf7afcb20023fc563e8e4db29601dae88d2b08ed439f69eed3501", "type": "eql", - "version": 313 + "version": 314 }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", - "sha256": "04dfaf2e0ab843431c44a2508695e0793ee75aea13aa78ee94a7c26e31c27c5b", + "sha256": "6d169b8ef6174e48cc5b9da071aeae0d5e489fd8b0f2fe23f0e9151adc0d1658", "type": "new_terms", - "version": 3 + "version": 4 }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID Device Code Auth with Broker Client", - "sha256": "3b36ca3385b038425d51a7e5ed4106e263b270fcfb2b2b3f080d747370eb1bc4", + "sha256": "cc6ac4f23ad5af4de24d86b48037a2ef4f613028008428e70af218986caedb40", "type": "query", - "version": 2 + "version": 3 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "7af20755d35869e009f843fef6fb3ad74173f1f9d745b649a798002ecd3fb640", + "sha256": "718899b2492eb5e52f6cc280950ce01a86f8bfc177fb3b7f332cce40a3ee5c4b", "type": "query", - "version": 103 + "version": 104 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", - "sha256": "7dc8a4e76f836a2dabc1f97682ff2a8788770c2df8b3c977a9a21e48600874bc", + "sha256": "1d8fa59ab20e897e9672635212c32527d3d62cb6be364f57eeda2274c9a00910", "type": "new_terms", - "version": 2 + "version": 3 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", - "sha256": "af6c29f7ca5a3acf5c0a9b81b9be7a3d630222ef6aaa8bd14ae44a6d9682248f", + "sha256": "3bf43b40ca6bafbfc82a329b6065a48fe4eb89be606faca51b84684bede3c1ef", "type": "eql", - "version": 6 + "version": 7 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "rule_name": "High Variance in RDP Session Duration", - "sha256": "b10636c16f0df07435893373776847351520e760d2923c0ac25814bba42a51c1", + "sha256": "20b9c0fd40ad05703c36b023e243746d64594636d415191358b11378eab36a7a", "type": "machine_learning", - "version": 5 + "version": 6 + }, + "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { + "min_stack_version": "8.18", + "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", + "sha256": "736ad95b333f3779eb2c66cd26b572b02fdfba7dcb6171638617b604fc74491a", + "type": "machine_learning", + "version": 2 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -10242,81 +5987,58 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "6388eaea93dbea69b2def246d3830353851466710a017a1b197cf97d811e445d", + "sha256": "ead058de5d6144ce2c3b3954a52a05bfda970aa418f8b0ba2bd6b5702e64b75b", "type": "query", - "version": 207 + "version": 208 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", - "sha256": "bfd3c37297fa730a13e90c0a7714caceda0b1c853fb40bf1f0137aa00f77bbe0", + "sha256": "5b197de69deb341b9cebdaf82f31401455d8e964d74ebf70dba9f539fbc6222e", "type": "query", - "version": 206 + "version": 207 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "521b0deac4fa27230216cb8daf48bee86c9bbef64c5b0dc90d5dbd5acbb31f0e", - "type": "eql", - "version": 110 - } - }, "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "3408526e0c0dac93e7765ada0f10c56843aec79f4e3c80ff93f5afb3ec32e96a", + "sha256": "48e3d9c417c9d98a1f70c6ec7abd0d6755a395a847ee9cdbcb12792a6c44c455", "type": "eql", - "version": 210 + "version": 211 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "c5e9563513ceff85a4cd305b620e50b46d0abdcd6b749995b72d1dfe43f137f2", + "sha256": "98ec6927598c3b7c5900d8a4709bc8a5939a5c33841e424075c14cb153ac04b2", "type": "query", - "version": 106 + "version": 107 + }, + "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { + "min_stack_version": "8.18", + "rule_name": "Spike in Group Lifecycle Change Events", + "sha256": "44175b891138ca8c93582e811d23a3431a0599a39bbe1485d6a3ef33b9754912", + "type": "machine_learning", + "version": 2 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "05234b27bd38c05a4148c880399948bb9f659dc2409c560ff2c17735d399fdaf", + "sha256": "452ab49b0f9dc2f3c1c19c0aeee12037d79e8f643b65f9aec8dedf91a2018957", "type": "query", - "version": 105 + "version": 106 }, "aa895aea-b69c-4411-b110-8d7599634b30": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "System Log File Deletion", - "sha256": "9e7b2926bab16d0e65d0b84a1ec35d2ebfe3b10e1f219c4a9f7a8d87a9e5a132", - "type": "eql", - "version": 113 - } - }, "rule_name": "System Log File Deletion", - "sha256": "af1173cc43f540a885c1fe5ff3ca083ca2e96ae5d484216e8cafe707ef9ef2b3", + "sha256": "d8b636f7ed97611b6d3aafa4b492420a4a97a26e63b35dc090da06b20b9d780f", "type": "eql", - "version": 214 + "version": 215 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Remotely Started Services via RPC", - "sha256": "c5ae21879f28fadb1daca353f3c354f8f96a89ebe15eb191af73bbe85a2e1b0f", - "type": "eql", - "version": 114 - } - }, "rule_name": "Remotely Started Services via RPC", - "sha256": "470c7c8413962fc0f844e61a7bf6314d1a2eb8517d76b793b627d1ab6c0ee1cc", + "sha256": "696bd89a899752e09aea72e0e14f9c835d8328afa033359e2ddaf992bc0fa819", "type": "eql", - "version": 214 + "version": 215 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", - "sha256": "b09c6bdf53c574bd6a13c29289040f6d39647434595c2ef5e908596c2f87e744", + "sha256": "8630662b8abaacdce8369bd10d8e4bc743a7b88b899a50021f083928f5d7c9c6", "type": "eql", - "version": 3 + "version": 4 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", @@ -10325,216 +6047,106 @@ "version": 9 }, "aabdad51-51fb-4a66-9d82-3873e42accb8": { - "min_stack_version": "8.13", "rule_name": "GRUB Configuration Generation through Built-in Utilities", - "sha256": "6c9d7d72e70ba8fa7028586f7dd96f22a714aea37e9b6a748c48f4c2b84cf5bd", + "sha256": "26901e4f806ec7b2bf0dc36bb13dfa4ebd8fedbeae5bf554ce2f0f3953848f90", "type": "eql", - "version": 2 + "version": 3 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "78d447b3cd6a49ab7ac62b483ff04bd68e29310b28aacad89af526962847b961", + "sha256": "7b7360a11e47e0c93649167201cbcf8ee633e2ec65595d1645bddfe19ca7089b", "type": "eql", - "version": 117 + "version": 118 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { - "min_stack_version": "8.13", "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "c58bc9bcee72af710a07f880ed3df3eceef229e97454f6ad449273d078b06c4b", + "sha256": "1c4116077882a8c3b1782c85376e117a8225402265a79c2226beb656e12fdb82", "type": "esql", - "version": 3 + "version": 4 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "83e5654634806cf836873526072beb4a411dbe215b4be002f799dc0eb0866d82", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "62b3cce8bb0d092c2759ebc4697ef92d744a740ec8e418ac7370a52052d0d04a", + "sha256": "3e62b3114e4ed0b8d120080d5e8a06c01ed63d8466a052cf5de197d1c23f8c61", "type": "machine_learning", - "version": 207 + "version": 208 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", - "sha256": "5b1015d4458273b2f101dd22674b7cc73970fd91015c91ed9c22fc5049ca1729", + "sha256": "adf332174ec90b1eec51f30548d1d34f0377950076a8b71ae44cac181a19cc98", "type": "query", - "version": 109 + "version": 110 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "5a3182ca2012152d9bd5c912111d82b1f3214a893d6da8417d00cde83cc42f7b", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 414, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "9e5fa90d4dcc2b7ba457b5d5c1701304fd158e99a68fb7fddee7dee79f9b55f3", - "type": "eql", - "version": 316 - } - }, "rule_name": "Suspicious WerFault Child Process", - "sha256": "2093382d45530ceba2ddf764b031af27fef9087e0b6f90f1e6cb535a04e5798b", + "sha256": "d368d419406c6ac4bdc9cf1c532503e1f0aed475b1efee62a2b12393f7a6245c", "type": "eql", - "version": 416 + "version": 417 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Git Hook Created or Modified", - "sha256": "ec16be4f5fe86ad7212a2520875b8f40ee71728666d7085220d272f1e3929d89", - "type": "eql", - "version": 4 - } - }, "rule_name": "Git Hook Created or Modified", - "sha256": "0c1a8c2bb10aaf8e8c9dc4c3c70b9fcafe1230ffe0687aa31e5909bf176ee7e9", + "sha256": "8e8a19e38db671bcb280f6c70712f9a5237c1eba53d7085fb399ccc32e228119", "type": "eql", - "version": 104 + "version": 105 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Outlook Home Page Registry Modification", - "sha256": "9e311415c8086b3934da0eeaa5ccac777e192f9c2c9953b705e3368c14fad664", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Outlook Home Page Registry Modification", - "sha256": "981f0b0dbe49943a8536ee475f57749dedc4e10f1c32351e9ee5c122813eed48", - "type": "eql", - "version": 102 - } - }, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "cf576e47d585c50b59b5886c7f0802f74deb1e56177dc7478d66d1e3a7379fa6", + "sha256": "ac08c62437040d4218a78492551eb6c2748c770126e952f48c9a5e634a83d3d7", "type": "eql", - "version": 202 + "version": 203 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "f0b9a400aad8092fd6bd78cf6124173e5d87d3a8d40fb37af54e7611a60734de", - "type": "eql", - "version": 2 - } - }, "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "6d20396d3b2ba5db4a1fd80aca9c645d4b789dcb0d39161b5dfe9b1d4f1f216b", + "sha256": "3f6e5a78fadd550b76988f7ca250123d25b55da4b9824d7eecabfa64097fb7ed", "type": "eql", - "version": 102 + "version": 103 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", + "sha256": "21b8974dd8b5814fcf9b96a9a0d24e1f5225418f815f4b79a50304d608962cd5", "type": "machine_learning", - "version": 209 + "version": 210 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "989c58058784588cd22c236d0cc58394fe67e6f8df10a6f446381d5f6301083e", + "sha256": "e913a80ca34bb872d7290228e6861c9434d96bc425cb4722139a9ba9f86a1e72", "type": "eql", - "version": 8 + "version": 9 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "73aa4e201e1220c47c689009c0c24f4ef6a0dcdab57655d7f25c5525472d28b4", - "type": "query", - "version": 111 - } - }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "e75ecddee03f0ecd4c9052ef2974471d669da03a7d25fd6c4c46ad39537304b6", + "sha256": "577f4aba498cb31d69f14ada4653012ca10809256e20685c96d092dba3930b39", "type": "query", - "version": 211 + "version": 212 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", - "sha256": "1afdb4a51d22e7bbfd7e65b403f94fe84c4d5a15c4e64cf97eba18131439801e", + "sha256": "2dd59381ecd634b40a37425279dae41c1f783d4c3302698d52bb8ca5c531689a", "type": "query", - "version": 207 + "version": 208 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "c893c9924f303a60bf8cafdffaf2cd627c6fdaae221bd7469fe25ef355839d32", + "sha256": "c3daa30914d8cf8b5b9947379541272b88d1975fa5d675ebf3e560aca7a2dea5", "type": "eql", - "version": 107 + "version": 108 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "0634c4cc8994181d8d803e1f8a015b27a0287326c7bbe72e41f6caabaec65771", + "sha256": "a2a3aa41f4af6ec4f1dcbff4d74dced9549d75c40687e4c11f47750125e7ac2e", "type": "threshold", - "version": 109 + "version": 110 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "71cf5c81124dd45113bcb530642c295387bd2b68ee1236cb2a3e8e2f0f0aca2a", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "86ac334bd5ab8b6d729a0fd45b6134932f7b204b865b83dd786664d0984c3da3", - "type": "eql", - "version": 209 - } - }, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "88a18ab3c5f799879b46bf994ced31f7d53b1188b29318f70d67e7f1fe7bc832", + "sha256": "a0a231ca4e9cf82b137b5d6631813285eaa3e9f561d5e8a3e75ec6cdf6ff8901", "type": "eql", - "version": 310 + "version": 311 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "ce99c263910efa69241137ea09accded8b37ab436213bd6a80d3c8736c01d957", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "d7fd7b183cdcd959de4cad44e21af6a406556b7a2d7848338dff1bda0a4e4947", - "type": "eql", - "version": 210 - } - }, "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "877b82511a776fabb258c7294666c134b9fe2720c4b3adb773f6332473caf911", + "sha256": "474904225145565b09a257907f01d0a72d0617cc87159d20de17a2f382920e48", "type": "eql", - "version": 311 + "version": 312 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -10544,237 +6156,137 @@ }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "6bf9bd74edf549ebf03a9335f3167e0a4f85aaeebdec0d566acfdbc16dd047c0", + "sha256": "e95939015fd8d8a80a3ce5fd7035326f3149d0c77c12c64b20d6e683f271499f", "type": "query", - "version": 206 + "version": 207 }, "ad5a3757-c872-4719-8c72-12d3f08db655": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Openssl Client or Server Activity", - "sha256": "8eb908bf23fa02ea31de0dcd624ff3541d1bc60c2389d04820670c32bd4b7244", - "type": "eql", - "version": 3 - } - }, "rule_name": "Openssl Client or Server Activity", - "sha256": "075631e1ef46d21f816f96cd248fbd08db4840dda4f701989973b31ee3dc8dcb", + "sha256": "dd49b62956f5fa4291d55bc8f22d9b9a3ab99cde4f57a533fbe0f0d42f8f3ac3", "type": "eql", - "version": 104 + "version": 105 }, "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { "rule_name": "Decline in host-based traffic", - "sha256": "0615c9d044eb7a81ca8254362ba850c6e3f29202d1fabfe3bc811b8b9149a05f", + "sha256": "7490f14bef592f25bd7016b90cb944a28f27fd6ae5ef596b169badbcb0f62ad3", "type": "machine_learning", - "version": 1 + "version": 2 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "e36bc47e8ad58d550eb0511c38b7e7ebe9f68e088ec6215f78f7a2780d0f4e24", - "type": "query", - "version": 113 - } - }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "014ab6a9d47a402634c60580acfcdbc73e02eda99e30868cdb84bd27f75bfe59", + "sha256": "24969b426e95f76e5db568517afdce0c70ff24322916769ce3556ef5c88d8d14", "type": "query", - "version": 213 + "version": 214 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "fdb9bfb1476b606fed9fb9f5d813bd2649bbfeb1e82522dbab72f7f63e379c10", + "sha256": "81cde5714e33354419a3b62b69049ede680af9b05734d4fdb139b2f06175c4aa", "type": "query", - "version": 107 + "version": 108 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "a1f733e8c14c8a8ddb91a5c919f8598d6578b992ab231ea6130ddff737d80b25", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "290226c3c245c0651561503b7e5851aa8176ccbb1907d504d82489d72d110b36", + "sha256": "8499bab73940c1cc366630196ef1ee13f93c5beb8a2372bdbcfa2ac0c5c4a775", "type": "eql", - "version": 106 + "version": 107 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "883178d57a5f0e0cf1ea5d9e4c778051a895d0e41a27aea175cfeec0058c9573", - "type": "eql", - "version": 111 - } - }, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "c88c77cee5c1ccbc6718afa7c168a3a9e42405d8647f11cde44e6f0355fd5399", + "sha256": "f2a97c5c24c622d6e26a7cb125197d863c5757652943400d20364ccc8f41fc25", "type": "eql", - "version": 212 + "version": 213 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "36e34a2abf002a55bb25f1d7c6333a2b2ab927c5e1e735f1ee9b1ab5e41b29aa", + "sha256": "29b48453166b55dc914de5c4bbcd5c70e1c09c568c74a52fab474f76c9bd5b90", "type": "eql", - "version": 7 + "version": 8 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Suspicious File Creation via Kworker", - "sha256": "cc84e69331853cce8fdc6642b517c1976575b91f66f2e049315267bc2bc1c035", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious File Creation via Kworker", - "sha256": "946a500a38cf03cc2200ba5c9f94b883db01f72d046965428ba893157a5c0fb1", + "sha256": "16a5653ff8d7067c50a5c377f3d2fe23bf416e714a27a2a1e6b601255f3b282d", "type": "eql", - "version": 107 + "version": 108 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "e98a3d6c4df8d691ad52d2e09453788cdd9059b5d1d1417f8c27adb82ad82604", - "type": "eql", - "version": 6 - }, - "8.13": { - "max_allowable_version": 204, - "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "6f87d083a88525ef7eb03a6d4dde91d57fecb67021008268bbe38eddcb8de46b", - "type": "eql", - "version": 106 - } - }, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "6457c55cd14c40cf20aaa69545261b5acc6f52e94266a412cc7eae717c18f7d6", + "sha256": "2c643176109471b5cd32730f599e63976acfd0f8c4bf1de203d431b8f3340447", "type": "eql", - "version": 206 + "version": 207 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "baa6bc2ea280de9151fdfe8e52180a5e692bd39318a6d37a5177670803b9600f", + "sha256": "9408cd6ac38dc0da463229572dbde69da9eaf01d92029b3074de5a34ccbb3583", "type": "new_terms", - "version": 10 + "version": 11 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol", - "sha256": "46f3600dac141091ef1e675e1b7fd1c5eb2710d472899b827c7cdb282a16771b", + "sha256": "360664ed03398cf4f0daedfe93b7da70afd925a5aae60ac70cbd46467d44f743", "type": "new_terms", - "version": 3 + "version": 4 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "dd77a39284b7f0fa3cdc5ce8819ff01ed6f11bec568d524431c32708f700d5a5", + "sha256": "3f4adcdf4447da22c211f94b5deda293013b59a4c2bb583e4598610135398bb6", "type": "eql", - "version": 6 + "version": 7 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Local Scheduled Task Creation", - "sha256": "153a680562c2db766ddc13960ff0b1b1d40590dbbf944177fdb07680c4695cbe", - "type": "eql", - "version": 109 - } - }, "rule_name": "Local Scheduled Task Creation", - "sha256": "1865a666788e5f1135f4e2809b5054429a200bcdac8bff00717593f7f3331386", + "sha256": "031d053394e3549af466993aced4f7b21df4bce7ad0cbaab72f9b866d01c7c0d", "type": "eql", - "version": 210 + "version": 211 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", - "sha256": "945c79177caedcb32dc2e02903d14ac7208bc61607529c0123e9e3e044a4d555", + "sha256": "ed800dc02d52bbff8862e8f6661cfe854ae1c6bdd8febf22e433d797eb171600", "type": "eql", - "version": 8 + "version": 9 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "fae9c44d21f8e3be93ff74c05bb6b9d9484396579b5e29cb81402bd3ee84fa2d", + "sha256": "986b08079a199c4b66c2d0a231421099e2e7812d42434397b2f548b75242b3d9", "type": "eql", - "version": 7 + "version": 8 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", - "sha256": "f446d6a851c5fb5c1d8c57353f72923d40776727f9f1464155a7eb802e6a9d92", + "sha256": "9caae5c032cdb7cf608633e1541b4df7fe459a5aa52afa0d3afc1168e2d7e214", "type": "eql", - "version": 107 + "version": 108 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "c76e638ceb65578acea1d18f1415cffa579dd2b5922507665d774472de710a4f", + "sha256": "00e0d64bdcf221fbee1bbeeb0668d4d350446038e2bf5a069ca3c39fb28c3e8d", "type": "query", - "version": 107 + "version": 108 }, "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { - "min_stack_version": "8.13", "rule_name": "Potential Denial of Azure OpenAI ML Service", - "sha256": "e06e9851654f73dc96d981f25bb9fe7241126b9b028623c499bea1026e7e7bff", + "sha256": "c9d2dd4d5025502e98992e141e6b0d49267b5dcd50dbe6052eab9fd6a7040b56", "type": "esql", - "version": 1 + "version": 2 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Netsh Helper DLL", - "sha256": "ae6521e56ff6823f52f0061b21556a43efe712f7fd43485bcc1e437849bb0c4d", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Netsh Helper DLL", - "sha256": "f6a3950e6a53ae6b222eafb2db8745cb0c160be006a075c08b5fd6a0a7f9a7aa", - "type": "eql", - "version": 103 - } - }, "rule_name": "Netsh Helper DLL", - "sha256": "8b1858525694ec6e7adb1eb4300cdd4ad1e6e4721418a4c30ff5567d37ed66f4", + "sha256": "8b119576ed42967ddb45ba97d9c85db4effa2c1df4096e2fda8992083710baf2", "type": "eql", - "version": 203 + "version": 204 + }, + "b07f0fba-0a78-11f0-8311-b66272739ecb": { + "rule_name": "Unusual Network Connection to Suspicious Web Service", + "sha256": "b9be49d1d5dd892e86dec535d35199f881a7aaff5e435d8ac04df0d424b761c4", + "type": "new_terms", + "version": 2 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "6108a4f29f29a7a3de508648ab5fc9681b4307662435aa380267f50682002e00", - "type": "eql", - "version": 2 - } - }, "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "cf1573124222ea0894d4b604d5b227b43a2853f0b399f63d080624ef5a1144c8", + "sha256": "a249fc24c5e7f6003962c14a5fb28a06904d00414a1e94fd415717a50819f666", "type": "eql", - "version": 103 + "version": 104 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { - "min_stack_version": "8.13", "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", "sha256": "0ec57bc339f3fce1eca49752d9517e31d376889501714169d4c2e86fc43c6d2e", "type": "esql", @@ -10787,321 +6299,162 @@ "version": 100 }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Potential Network Share Discovery", - "sha256": "e984a3d3d48ac2c527b8cc9639ad36794477d63017e31f65023ddef04404f01d", - "type": "eql", - "version": 7 - } - }, "rule_name": "Potential Network Share Discovery", - "sha256": "a59215d5f80a3d3ca3e4611cfe0f4266d000c7ac58879ddd30ba94193e0ba79a", + "sha256": "9dc0dd963c4e6d73597e7c8a9e9349fa33574404f483a5c5cb48bc84c830e191", "type": "eql", - "version": 107 + "version": 108 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "b3411c6b99d0c79d2fe1c0df6b34fe5c2a9866107f061e8bc8b9c5ae08a66c80", + "sha256": "d7e69c5f4ef0d10b65e8cdb0955b73c4c63040fe109d92cce86776d96d07f4f1", "type": "machine_learning", - "version": 105 + "version": 106 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Remote File Copy via TeamViewer", - "sha256": "0d0bd0de1c42b394ca6d718a32761db9128689309c818676ea02bd44009e6f48", - "type": "eql", - "version": 113 - } - }, "rule_name": "Remote File Copy via TeamViewer", - "sha256": "c8f3a33a1eda62ed530a6fc161bba9b0b5971ab42727c08f73a793be0b2199f8", + "sha256": "d53618c6bcdaf4d8d4fb8d5251c10d56f078ad221b8f6831259904bd19c5ed4b", "type": "eql", - "version": 213 + "version": 214 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "723230c66b898eb377542e469559e3654604ede32b8721af457c83afa144c4da", + "sha256": "5c7237d1505535b209cd71fd5c9ab551124f150a749c55ce95a69f1ec8af0794", "type": "query", - "version": 207 + "version": 208 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Compiled HTML File", - "sha256": "8eed8d54357b27cc75f72fb6d8bfbf8329b2bd2a0c09b43187d7132a3a6e195c", - "type": "eql", - "version": 109 - } - }, "rule_name": "Network Connection via Compiled HTML File", - "sha256": "7399a81fb47d057bd4c83b8a488b4fe9e614fe9fbca03daa78018eac37dcc058", + "sha256": "78e8c3f1ee31af1bdb839b3e67e099350e1dd8e33031ab4aad7271abc0a60cf9", "type": "eql", - "version": 209 + "version": 210 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "2eb4c2399504f67ff666102ceed72f7d457d96362545c820950c951e0fa3c5db", + "sha256": "7fc4733fad7e75e105f9f2b54271489fc4fb147d1c58f76f7d977592b98e1dac", "type": "machine_learning", - "version": 105 + "version": 106 }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "b66f1e7d1ec9f7028453eabcbf79b0a385bcd2f7f051b6c42fc560f604bf3ebb", + "sha256": "18ee6b6986644ed0c2d38fef7ac4983ae92ed3132d7dd3415b25177be103035e", "type": "eql", - "version": 3 + "version": 4 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "bb3314617957ebc4e0040f77083a7b5191ad7d4aac12c6f8e24d76b9157acc0d", - "type": "eql", - "version": 116 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "b5f67f0db406d5c2ba14017d2992671bb8f8d5baecbff16bb3dc5c7a9f5349fc", - "type": "eql", - "version": 215 - } - }, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "7619c7c7851d86a7c00dd33358f2a195e219abc5a71877a14e1d058f089679dd", + "sha256": "81603073dbeb45f77db9d041056c24002d4c9f9373b6be6f5560b1746d676a9c", "type": "eql", - "version": 315 + "version": 316 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "827b2e6312c74d28a9c2c605507eb0ece093b284e60e26bfc9107c6733929d1b", - "type": "eql", - "version": 11 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "880efdb0e8afa50b33a2244e2d322195958eb94a5cf7d3350bc81687308d4ed0", - "type": "eql", - "version": 111 - } - }, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "8747c38dc0c5c1f095c574509b9f5f8f8559565e457678aa2382014c1f360627", + "sha256": "3458d09302edde504e2799053577f863c8e59b513fd99d9aa917a1b90c4b43bd", "type": "eql", - "version": 212 + "version": 213 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "bdd06953c595a6c37482e67037eb72fb0d5301b42a5f4343e549c01b8c7cbb52", + "sha256": "57c17da4329eb6e9affcb5405ae01363a9b5eb3482c2a5b2ae3ccf437fe2db54", "type": "query", - "version": 107 + "version": 108 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "2f8c1a57650a8885345541c39bf72fc1fb21b8a10ac375920f107bc8110e7c76", + "sha256": "365031b7d60b30567562557a83d556297b8293ce10da07fa098efb64a16bce4d", "type": "query", - "version": 207 + "version": 208 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "At.exe Command Lateral Movement", - "sha256": "a1aa72dc7cf218498b4bd3cb3adceb831db178df81c7bcd254159323dda53cc1", - "type": "eql", - "version": 6 - } - }, "rule_name": "At.exe Command Lateral Movement", - "sha256": "7bdc29998a4df28f2c5f145fb8616a73d22bd40857000f5ff345f304a82ece97", + "sha256": "08c85058be95c0ba76de40562a37ef695cdd7a93003dce433a4b81a3fdd423ff", "type": "eql", - "version": 106 + "version": 107 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "7e95af47b812b851ff7c0d56818e3f8c2aa918a77fc10b771a33f6b34d47291d", + "sha256": "d2a7d308c3e84bc4e2f19da76eec9112a60fa32402909778b5086ef66a79130b", "type": "query", - "version": 411 + "version": 412 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "d954b504b99dc10781bdb03b7b51829bd53063c410c19a509612b52841275d54", + "sha256": "cb73e5540f01764d015f668b42ec2cc86a1d2e9d75463e2ef684c07645f2af3e", "type": "eql", - "version": 7 + "version": 8 }, "b5877334-677f-4fb9-86d5-a9721274223b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Clearing Windows Console History", - "sha256": "d42b2a9e2f10c1fcdb5ef9f4e61976c421ed73777e0d9e8ce2cf19cd049ea169", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Clearing Windows Console History", - "sha256": "d749f074e83e0054eee1daa97f50831d810c8082d16bb985c7e98ff4618ec2c7", - "type": "eql", - "version": 213 - } - }, "rule_name": "Clearing Windows Console History", - "sha256": "2c520e669cc319fbcea530b0ae4bbdb5e0957465b447349c216ff5b15b51309c", + "sha256": "7853f306c666ad514f4db27b2a00b3c20cc4422847edd8804face70f6b1d776e", "type": "eql", - "version": 314 + "version": 315 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "efddb07094d4112b3fe52e056949b21c437249bb7173dcd0184fef80a1591834", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "3712d140a6e40ecb5f5069fda566444132ed4b17f3d0102195b93ebae8b4175e", - "type": "eql", - "version": 213 - } - }, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "05e2efb7276a733c2adf3681d0ffd4d02f6b6f275d68f93d23b7bab0f37be852", + "sha256": "08993051c086d51ffc23695e7e35bef8eb1b6961b7f85725a896496576260d31", "type": "eql", - "version": 314 + "version": 315 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", - "sha256": "632c8e11b721e5ec61820d811a8007bab97cc61f20dcaac08301345e24d0651e", + "sha256": "72b8f916648cd3baec90e50058c660c235bc7b95a6981eb955da1ef79576f081", "type": "new_terms", - "version": 4 + "version": 5 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "fff06615434083388a264c460161ae05556bb720792b5e921a635a843dfd4739", + "sha256": "9744416a03faf34857e6b438b55a96e8304c367948409b39ef51e77426b22f4f", "type": "eql", - "version": 108 + "version": 109 }, "b64b183e-1a76-422d-9179-7b389513e74d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "60fa1c1f92316dff5dbafafb8828c4493eb084e0a892fef14665afb65d337269", - "type": "eql", - "version": 111 - } - }, "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "972276704cff979323a1023ba183a94c4a7811ffb359898829ab87df4c85a032", + "sha256": "14c07dfa8c30b66fa51de6958006e13e6bedf1d82e303c693c81672f4ec3b2f5", "type": "eql", - "version": 211 + "version": 212 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Potential Veeam Credential Access Command", - "sha256": "4e3ae75a438564e128dbbe0d7dfbb9db97cbd49cea4ca9c060dffec9d64e974b", - "type": "eql", - "version": 4 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Potential Veeam Credential Access Command", - "sha256": "7fc925d9354790c0cb64f217ce0c978632281ba46ab5e671f3f3d092d609f03c", - "type": "eql", - "version": 104 - } - }, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "185217c47b57dc0e942f3d4acda3ec10d274848c91c1261ea8eadf3faec9e687", + "sha256": "847fdeed10f05c62642db8d85502ae1bbc9cc6d31c3d4e8d87288e299cfd84b0", "type": "eql", - "version": 205 + "version": 206 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "84cb2fa184205ec6c7b5ebef44c3cf43d7a24ecba9aec4c0f148e7a5973fe61e", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "ea54cd3fdb16046632a7a7a59ce1c225ff10aa9102c2044d0a293ea1b71c04d0", + "sha256": "95ef8c46a06584212e273b4acb8e25ae7838de0a57ef92d03eaa74eceaaecbde", "type": "eql", - "version": 103 + "version": 104 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "cd16ad7a073247fc161d8c2ca330792ee681647ebcd1f37bb77fdc876df61cda", + "sha256": "f385be98338c328152d5d63514e6bf683ba6b715e9abd050c8dddd345728454e", "type": "query", - "version": 104 + "version": 105 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "08c9c6276d365fc690a88084ebcbae48a7842785385a954b0ed862a4b2a174dc", + "sha256": "248e61ef773fdf2e6a26ec1952ac354a0992ed91f4ff760554ff08ba104dfc65", "type": "query", - "version": 411 + "version": 412 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -11112,154 +6465,66 @@ "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", - "type": "query", - "version": 310 } }, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "e169dafee56e838f29e144fabeded937b7f9b89958e3b1bd0ecaf6001a8cab9f", + "sha256": "370f610832cd7a206b47fe7803bc40e23b9df347708fd13e003d751e0aae82ae", "type": "query", - "version": 410 + "version": 411 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", - "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", + "sha256": "5a00ad94a423c34375feac92d8a797b65e9fec09e9645f3563f6574ff51b0e5e", "type": "eql", - "version": 3 + "version": 4 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", - "type": "query", - "version": 8 - } - }, "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552", + "sha256": "2bb044fc86f61541f4ba022f3eebe2271afe29d9c1d8519e3654b1bd730239f0", "type": "query", - "version": 108 + "version": 109 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "07495ad3087d7d941d4ac6b44ccb6b4afffd0b7a10b6cd91e41dc91e2c8bf5df", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 410, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "dbe3ce72ae96d9a388571dbaee69e57b2e0783bfb28d89c12682e731babdc79f", - "type": "eql", - "version": 312 - } - }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "f6b6199880ad069f381932ed419cc9eb6a89a0bdd3a8643c23bdf0f8ec1375b6", + "sha256": "a562dec8b60f1f740ea96b3d145fac4953c1cb26319750c3c582161935081d4f", "type": "eql", - "version": 413 + "version": 414 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Network Connection via MsXsl", - "sha256": "6fa622d8cf25c559993ee681c4c59fe4875676f7a1e75fae7f9837ae73c39837", - "type": "eql", - "version": 107 - } - }, "rule_name": "Network Connection via MsXsl", - "sha256": "1d3c54055176ee07cd35f819d276249cbef1c3a9d0f0f4e1baa830336b20aaf7", + "sha256": "40ea5f7db27e4b8a6c2e992399ecdc3093f71c17aa81d7fd9611d7c09b292c29", "type": "eql", - "version": 207 + "version": 208 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Kirbi File Creation", - "sha256": "c10cf18764bba367c5dc4f521024dc94ef68710285c6f90a067c4237780913a5", - "type": "eql", - "version": 8 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Kirbi File Creation", - "sha256": "e4040481f58c3fe815861e36ac5ce0ae5800f0c677fbfe8fb4f3b92a3ed843e3", - "type": "eql", - "version": 211 - } - }, "rule_name": "Kirbi File Creation", - "sha256": "4657563a7e924aa8d3e22e93a3d7b63359d96a5f3fca0bcc8b2acf48620e8517", + "sha256": "37b0326fa10041ad96b39e1371a5e03b141e40ef574999963845c65a04da4aef", "type": "eql", - "version": 312 + "version": 313 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "58aa89bc163a9683f9b49afe3a23214fc5db86e93510a6cec8b716e16e93cbe1", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "cbcbee9fed32c048febce9bb94050b601d2a11f48b70199fced4a32261b24be1", - "type": "eql", - "version": 210 - } - }, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "5279287a7c569096f588da6a81739ad2b52940bb1fde4b4cdfc5e18d4c91a8f7", + "sha256": "8d61695be244bcd61491ff9ee3b9e87e7c6b56f368a933a429812ab08d733df6", "type": "eql", - "version": 310 + "version": 311 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Chkconfig Service Add", - "sha256": "86f0056ad335bea28f944aa15d086beedcd4cf45c699a155c5d200a3c5f35630", - "type": "eql", - "version": 114 - } - }, "rule_name": "Chkconfig Service Add", - "sha256": "8be542194e5f7b449a76977f17589bb7036a11db9dd64f5714117a25453d652a", + "sha256": "bceaadad35276ffb04d6bd8812cb004d849e83c1c14fb4f4dd910afee2ceb030", "type": "eql", - "version": 215 + "version": 216 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", - "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", + "sha256": "aef435eb45ab94bbedc0548295f1f51ce5a044d334416fcdcf0a64ab51890383", "type": "eql", - "version": 2 + "version": 3 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", @@ -11268,81 +6533,34 @@ "version": 5 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "afa94a71cd99d31b1c816a7710f3e00e86c7854df6db0f251d9194ed981a82b7", - "type": "eql", - "version": 112 - } - }, "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "0dbd728ccdee18242ce73777503e932ab66219ba7271621060c5b98633ac1107", + "sha256": "57c0fc045b8567bcb1f71c1225bd793bf02be62ce96118b07d957b4e49b4bb3d", "type": "eql", - "version": 212 + "version": 213 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "f57cf744c08b2c30cfaf68b8eab90b66771b4e188cc2fc6eb0f59f7e9a12ff6d", + "sha256": "cec6730a302f70f809a0b6fa80aaf9ea94e04937cd6a26c74ea2ecaf0e7ea53e", "type": "eql", - "version": 113 + "version": 114 }, "b9960fef-82c6-4816-befa-44745030e917": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "30d3fcfb86a4c9e23c5563059dc2df4b75f106ceedf2a7f57f7731cb984430bc", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "021d6661e231a18c2c0c62fe88c1b3a16cf3dfa20e449e7d6c704c50f70616ce", - "type": "eql", - "version": 212 - } - }, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "8448fdad37a26284d2c146a1c6f84be4345849b97567a3c0faf586e92b59aada", + "sha256": "24e0aba1907d3b154ae698cc53763c266e7e3d2379de61741452251f6607ba5a", "type": "eql", - "version": 312 + "version": 313 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "19b3cd102fa17756195c9b9ed7ab06bb5a730f2d79302f0afa39106c89e7525e", - "type": "eql", - "version": 2 - } - }, "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "9e1dc7c6029f13f97226975ccefeaa350760e8b64f53830c0dc035cc458248e9", + "sha256": "3447097791a88bbf09a394b52a1dccc20d0702600c9926d76c0f3833f6b4474b", "type": "eql", - "version": 103 + "version": 104 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Network Activity", - "sha256": "cd715d2616e427081beaa901230dba625ab6c14e52d0571ae643a92f04c77435", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Network Activity", - "sha256": "006889f0bed32a73ed4d97e42325e7b69cd13e35ed45d30f6b58a091b6f54973", + "sha256": "8ed24c92aa311a914921aa68556ed4d7d864396aaac9625c8e05c8ba62527777", "type": "machine_learning", - "version": 207 + "version": 208 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", @@ -11352,312 +6570,204 @@ }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", - "sha256": "33f5ec32f53d28ddc67a858bea818290a2defa25dbb7487eca3dc127a6b2c2e9", + "sha256": "1513a4773f404bffc0e3cdb8078d93b7d43b143b54b109775e5927d24fb44ce3", "type": "eql", - "version": 4 + "version": 5 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "998cfcfee5231e24bd5fb08c5921e0c9915f8d4b9db65d1b7daaa574cbf601af", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "bf12d588236251e2feda39ddb4621aab72de0d06c0cc78366cfb8cde48293fc9", + "sha256": "f9a2f72f3a38457c282d9c580db5aa42a1e76c523d951cddb047a3d0f68ec06d", "type": "eql", - "version": 210 + "version": 211 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", - "sha256": "5142cc67f154e6eca142e3365f66a98511c0ea7276fa784ece159df9c9204371", + "sha256": "205e2ddbd5a1220a30b0b3612ca370127cf1f0d5ab902fb690078504406f73f5", "type": "query", - "version": 2 + "version": 3 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deletion", - "sha256": "ee0a9985f47c61b4899e6db0ffb46a7ecbf7889137cbc89ba4af8a83b184591e", + "sha256": "df1d2f0627fe84a1c630349ab8edf73199995bbd43ca19db174867e02780541a", "type": "query", - "version": 103 + "version": 104 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "38ebab645d36ccdb700fab60ae741b7fc1fdcd857893d3f9a8bd8d8104af6e69", + "sha256": "a92cec668144d3166b4032e3146f87a22fefebeec3b6f854d901bb9ffda6020b", "type": "query", - "version": 207 + "version": 208 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "OneDrive Malware File Upload", - "sha256": "b6bae391783faf8fddf063267243569a829caea469887045e326ef63f991dada", + "sha256": "126aa1f2bb9843e14f0a747fa8006dd468611b0d44573830dca8568908e327d5", "type": "query", - "version": 207 + "version": 208 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", - "sha256": "ca7cb850b228b5d6ab6ee6f7893e1bb49c6b1e24498299ac9177cafe74cf64bb", + "sha256": "daf0d5f0ba307d70c3678c9a881be4a10972abf9b1831f13289ab0409a002b5b", "type": "threshold", - "version": 11 + "version": 12 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "d2591be6119e7fd59bceea00f9241d1477bfca0672c2bddffa9aa118eba5e5a5", + "sha256": "e8102c088a32061fe749478f009b060f4d2b30d27b1c0e9a5f80b76e8f22daea", "type": "query", - "version": 208 + "version": 209 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "AWS Root Login Without MFA", - "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", + "sha256": "c2a46f080af802fd9c7af4b800499efd51cd48c379b8742387bbc4a6433e2932", "type": "query", - "version": 209 + "version": 210 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", - "sha256": "0e92d2b35ccf8e91dbd05bb2cf976add13ed7c2ebe9e7b8f3a14e6ba4423ddfd", + "sha256": "3e2b0190f192c460cc6e053ca6a11a7e2290978c6e56ff05f27b0de15041a080", "type": "query", - "version": 105 + "version": 106 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", - "sha256": "7251fa979518f7ad95fffc7dee8b43ef1241f223f154ca62644fd6a9a03d5d82", + "sha256": "94fbad6793b437cdd6ce3abf2f38eabfd51edd95887ec7a0769ddf2f82ff426a", "type": "eql", - "version": 4 + "version": 5 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", - "sha256": "ca00d2bc624c0e0eb4f4138104ba3f44baf33fe7d37ef8b693d45c8809e8f686", + "sha256": "04c7abe67f3daa110842e0d1bd39802f22604c2208677281ce9fb7a4e704dc8d", "type": "query", - "version": 107 + "version": 108 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { - "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "585daba14bfe511045ed1f9225e2c8ef3004686898d5598678574811ce335190", - "type": "query", - "version": 103 + "rule_name": "Microsoft Entra ID Conditional Access Policy (CAP) Modified", + "sha256": "a32dae8a7dd5208737ad61a29f0beb40f97f9ab3bd06b75f2ed0964dacedeb52", + "type": "new_terms", + "version": 105 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "af251fd5a27dc1da60e95a6f5bd4dcf2a8651ea1becf053232e00e667f4eaac8", + "sha256": "04eae86e18caf842f7358d776ce851a91a34c30c9e9263cb82c0192ed9c5dd7c", "type": "eql", - "version": 7 + "version": 8 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "rule_name": "File and Directory Permissions Modification", - "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", + "sha256": "6f028a778cd80c68e68678c08f372afb760cb750e2c09cc05b8f599f3b97d2cb", "type": "eql", - "version": 2 + "version": 3 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", - "sha256": "e63ea7699aec49aa63199a96c6f12b53d541b10b9035007f16c27383a357cd39", + "sha256": "324f2200a090d6c04d09defb8869b8e172ba4fdc384b3cb5599dd5eabadeb388", "type": "query", - "version": 105 + "version": 106 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "4c0f453a7ee9fec7e8d4245344823941109f187ed0b227e6556e050122701cdf", + "sha256": "93382678df93803ca4bde61537d7b101f7abb06ca5c01cc83f437fb9aa7ea979", "type": "query", - "version": 6 + "version": 7 + }, + "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": { + "min_stack_version": "8.18", + "rule_name": "Spike in Privileged Command Execution by a User", + "sha256": "c25a6d3b25cc9621b9d07f9e45eda69a619d4d81b1e2302d19ccc028b24977ff", + "type": "machine_learning", + "version": 2 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 214, - "rule_name": "PowerShell Keylogging Script", - "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", - "type": "query", - "version": 115 - } - }, "rule_name": "PowerShell Keylogging Script", - "sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b", + "sha256": "a3d6471cf1ea32d94fe5cbdd05696924387927c77216eca2fdf0fe34075464d0", "type": "query", - "version": 215 + "version": 216 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "1a4b9e6b364c8dab7b70af95029c1837cef25faa14161bce57283c750b0f6c1b", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "e90bca644b9c4deecb5cb69654940894035152e5ce6d74f3c45b3193ff56aa8b", + "sha256": "422c3370ec3b26cd9a46df9e873549516889da20384ce3c8c0065add3c64f1b1", "type": "eql", - "version": 107 + "version": 108 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "e65486c1eace3f2cba2f77b32a8523d31ee20a81635805ba14e9344aff57dabc", - "type": "eql", - "version": 109 - } - }, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "f993d429934670b2858130841325ed6efbed63e48d06218e4b98f59688c119b2", + "sha256": "40cd3a34cf55958cdbc3e7cdbce267dbe66c8c23a756a06b91af346ab41bf4f5", "type": "eql", - "version": 209 + "version": 210 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "3631d09f36db2837c95c7275f4a50e82f4de95b0d0073c8f8e590b4962170e27", + "sha256": "0143c33d3f591c2df1d42e89ad5da48554ef31bdf7d4f93edac26d79ad814c93", "type": "eql", - "version": 9 + "version": 10 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "ca3c535c19bcb70517a067c7f2fee45d4cda7183c15f51ff65edc5558f9180d4", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "c81455cfc1549f0c20acc4d63b70b45f4a82f73a2589aa193d0eae48dcbc4fd4", + "sha256": "1619f3dd27557576b15b1722278498a6bb81fec9b56695b36d8499f4711457e9", "type": "eql", - "version": 211 + "version": 212 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "b7d2b3d62bcd3f5f072a3d0eee1d7ffc41c8ab186328c6e58ec190d567786da5", - "type": "eql", - "version": 3 - } - }, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "7fd0fad617863a3fa3b7d26140f49d61db07e3841a2112fde8231db1a9c55ae3", + "sha256": "73050d70a759c88f80e90e0edddf60c7bcdd1ef6abdac3dc350d984e3fc5497b", "type": "eql", - "version": 105 + "version": 106 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "a2ccf5e3e960c49d64850d992659f30b31d2b4619143f6ace9586298ada41e55", - "type": "machine_learning", - "version": 8 - } - }, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "9b8577a62bbfbbcec6a5aba3c11a4d4901222b6a7403c548c74dda4a01e5f84a", + "rule_name": "Host Detected with Suspicious Windows Process(es)", + "sha256": "6c63c12c97f2bdafc33a42a0b745504ac184465871b6a167ac909c7b96233d7c", "type": "machine_learning", - "version": 108 + "version": 109 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "rule_name": "Unusual Remote File Directory", - "sha256": "02fd93eaee629a0cd91484e1809579b28f142b07255c4e850b358d3255e40870", + "sha256": "6b634e212b5dcafda9d320c410d4698421629c01dcff82cdc34f7f53957316bd", "type": "machine_learning", - "version": 5 + "version": 6 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "b92d79f08cb700838477ef425e6e82c0645fa7621fc8db3acfcacbe1b383f49c", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "83ee3ea43af4877d7c995fd8d7a2ef67b13bbdf1e5ef140fad511c76c5676d9d", - "type": "eql", - "version": 213 - } - }, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "7b9b7c2ada7e7e5ed1ccf83734701f53aa579ce4df309fba3aacddb16a8eb9fa", + "sha256": "990ae878c5abd509abad18f0fe8063648e2cf311fef1dbc05f6368993f797de5", "type": "eql", - "version": 314 + "version": 315 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", - "sha256": "5ed9f6f791ac753a0f0fa1e54b8d921e255e589b1e837cdbd454b8d4cd6703a5", + "sha256": "234b375bb5f91e52387d72dd515da60e02676517be04b0ffa0a75871babecfb6", "type": "eql", - "version": 208 + "version": 209 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", - "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", + "sha256": "95ac57d7c37abd6f427c185327f8b943928535bc35a501604dd0a3a37879962c", "type": "eql", - "version": 3 + "version": 4 }, "bfba5158-1fd6-4937-a205-77d96213b341": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", - "sha256": "ea23ea39e92ba2c5aa62c8b58b895f5fc1b9ed7e1645e2d1ebdf6f94725f24de", + "sha256": "a5b6ae88c3e86627f9d32ba5003869780b99d1d4a0b66b595dbe3a3001797709", "type": "machine_learning", - "version": 5 + "version": 6 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f", - "type": "eql", - "version": 113 - } - }, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "c192bb9bb98950970b96a09228a47f17bdfee85d936315b127f88960a07f9fa9", + "sha256": "8446e2bb6fb8a00d63f64829d2bd0dba653c6273bf8610f925c66425fab369e4", "type": "eql", - "version": 214 + "version": 215 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "efccc933a855ee7479813c356075dc5067945c868f9705b24f4d1f0c726ee2d8", + "sha256": "d14e4c6a66931182d9b1473e4f830335200c8a9f8afe321d707dfe76f07129a7", "type": "eql", - "version": 109 + "version": 110 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "7e6ca9dcd52afbbcb0b9a55e6aa6e2769fa1ec0eea2be911c612512a3d980c07", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "2c89d3ecf4ae5e9471d08131a67258ada5c25e166066700187f8fb376b224e4b", - "type": "eql", - "version": 211 - } - }, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "b27fd36d7d58fc1103502201694ebb4f9711505eb7be212b1970a49aa4018803", + "sha256": "54c20725fa5342e7d71c9eb119f1c21185f5de4e8e42e5502bfef005adc36422", "type": "eql", - "version": 311 + "version": 312 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { - "min_stack_version": "8.13", "rule_name": "AWS IAM Login Profile Added for Root", "sha256": "260baba4a026a272e648f568530059f1eea3a4f0c91f0895da0a4110d7f684aa", "type": "esql", @@ -11665,389 +6775,201 @@ }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", - "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", + "sha256": "f83f9a3a883e2629dbfed9adc3119fa73446e4e7cc8236f2d5edc40f92f84bd9", "type": "eql", - "version": 2 + "version": 3 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "a4ff1c4f9d920c7e68294561498fe4fed983eb988fb9f5f2b48394a7deebc588", + "sha256": "c4fa342fec8bd2d9be3a0170fff08f1850375e0660f459377237bfb23cebe615", "type": "query", - "version": 104 + "version": 105 }, "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2", - "type": "query", - "version": 3 - } - }, "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "c69692ff49a09d554d7fc41a0fd751809ead60f0421d0cbc79902c7dd1b8350e", + "sha256": "eb449cb7215e17016cce984442ed6a89ce50708479dc74b62e0092b12f915b48", "type": "query", - "version": 104 + "version": 105 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "78b79becec80ebf3f377fa653549e66e920fe229147831d6c1d1b2951472e9f3", + "sha256": "b3b96e8d988742a1f9b6e87cabd9b7a17cff40414f4d9385b5857d0be3c3033b", "type": "eql", - "version": 8 + "version": 9 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "ae318338980158a5279e376699053252b367bd3ad4618eeec9bd5f9d18ca9749", + "sha256": "c491b5a0b42aa83499f9efa22bfd6cc3660fa16cd364647122a215676bfbe45d", "type": "query", - "version": 207 + "version": 208 }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", - "sha256": "09eddb777e0307dc89b213216a823e5738d30d3f32b0e08e3e15669b35ade078", + "sha256": "f3f3e571b434f11463b7ee2ab0b934d5fef81c5255f3670a198fd32a1be942b0", "type": "new_terms", - "version": 1 + "version": 2 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", - "sha256": "d6549a9282b2ef25313f167c7193896b02cb13efe287b26ba00e59de84647195", + "sha256": "3aafc5429538ce15883d86a274c32f57532b3b2a5c8ff61e1a3a05b2c233eabe", "type": "new_terms", - "version": 3 + "version": 4 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", - "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", + "sha256": "5322de121f56dffdb40249e35fca739f1a16ebbb85ec7371a5c65a3234a46657", "type": "eql", - "version": 102 + "version": 103 }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", - "sha256": "90eee60fa4fd3963cbc29c1f58b1675616c99e865e1ceacd168802b7df454d85", + "sha256": "4e813e3929f68212f112bf17bb58d3dce810a27e3f4f10e06d543f08c99d07c5", "type": "eql", - "version": 5 + "version": 6 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "fc1b233c930cf034d1c534a92b4ee42fffb15b398da01bad0b93741527b11b4d", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "876985abcedfa9f369eb1b552bcf96e7ba482aee631b990fce2007928b0355cd", - "type": "eql", - "version": 213 - } - }, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "d68e0ca9ae67ed1ba16a2c62ee6dca41fa25ad178352a45fb29e08d0920c6c66", + "sha256": "2338edda91ea70dbcfc2677ddebbd9c26ed6a22e0d89095429678931d74254b9", "type": "eql", - "version": 314 + "version": 315 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "8d8ee64704769447bf2d40b32ebb9e6d6425a52106d8fb1761fdbfe190f269a5", + "sha256": "90242136b72d57a88a384fd0cc8cbee8df2d4b2de1277dcec0e0719b8ec05b44", "type": "machine_learning", - "version": 105 + "version": 106 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", - "sha256": "1e3d55ef91312f613f82e6c75780f14ca18d2bbefc4be9a309ed5bbfe21c3d15", + "sha256": "a9f12858c66714399a174dfe4a5781808e6693a87054fa03e3954bb3d71c3666", "type": "eql", - "version": 109 + "version": 110 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", - "sha256": "1dfc00c13d00b5a4452a22ec0f06ef4b2f0689891e18550018c35a8059f89e88", + "sha256": "52a5a9a333f384654c1ffb05f5f4d3cdaeee5b674dfb7173dfc80df45da59d64", "type": "eql", - "version": 4 + "version": 5 }, "c2d90150-0133-451c-a783-533e736c12d7": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Mshta Making Network Connections", - "sha256": "1df29ad5d0ca0a28702b68944cb3950151ce264faeed1d0cac6cdc59be122b4b", - "type": "eql", - "version": 109 - } - }, "rule_name": "Mshta Making Network Connections", - "sha256": "35ebb1787e73b188c74759108e7580f588b69fec28e602e40297dbe2e08a1709", + "sha256": "bcbec784809bcdc44ea6e9582b4f0f70c0af25e51477eae81747a03e7587bab2", "type": "eql", - "version": 209 + "version": 210 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "cadcbc3ef71a2fdf85c7b7666569914967f3b8045422bfb42a860c4aa73358ec", + "sha256": "23db8b09fdb9f4b08efb4ad8bcdfde256153602b55b53b81a85fe1273b9664de", "type": "query", - "version": 104 + "version": 105 }, "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", - "sha256": "18af645751efdccc31b367d06c1f9221851668fc7dabdcc02e9be3bc6d1268f5", + "sha256": "ac87d2ea86014bbbad8e736029c418502bf307493bac41e28f009e426309d75e", "type": "new_terms", - "version": 4 + "version": 5 }, "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", - "sha256": "783dba9bf2adf9672499975f28ca2c251157407146f529383f27229b8b03b597", + "sha256": "30d638a0c717fc26289aeffb7689f1277517f01315c434177f121a37236f0e0b", "type": "query", - "version": 1 + "version": 2 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "2f351a320cf7736fa0382f0a514fc587d7a9a6e9df3e0fa798996b1378845e86", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 409, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "858019a92e6dbfe1af3a06f1d96710314aa12802e6db988f1f4a9c5bd6fbfe5a", - "type": "eql", - "version": 311 - } - }, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "aadadca71e75e01e994ff9148f368bfd7b277c1ddfdae04d6f9ea3aecf1e2ce2", + "sha256": "1add85789364640458ee305f5b8550a2e25a163c43f36fec51731cae26970e36", "type": "eql", - "version": 411 + "version": 412 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "280e239c6b53224a5351f5f23e4f4660518500fe9da555ca1218ac45abb6caf5", + "sha256": "030a1aeb1792ce0139cafd7bb96dfdf4948e5d117f5eb07f5402469679e24022", "type": "eql", - "version": 105 + "version": 106 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "7da7deae7aaaaa19159214551ee72b6c0cf82a2eca4ae8edb3eaefe8aa0a69a8", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "2189d24d38c91a875a7ef420d330d9f074f3f874a38e25a6082487a328b98b28", - "type": "eql", - "version": 212 - } - }, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "efd529afc416fb90d5b3370adef9ee8b8e42b1a423035ef86d017b22629b1de0", + "sha256": "2a2a2083dffa1918977c8e220791e6696c8988d89f3ae5d1cb7be6f64c6d113e", "type": "eql", - "version": 313 + "version": 314 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "04b3ecf212987b57bdaedbb14a301b6f913473e5abb301dc94b6371c56d73567", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 306, - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "3cde3fd44462edc279d64b412008d521638ddabb0029d151dc594348b04ed627", - "type": "eql", - "version": 208 - } - }, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "1ad69e32d7a2cf3559f0ee82cc8620601c5d764ba5c054292e16e4f9e5953fbf", + "sha256": "3b384f5b7167037b7701ed3ee94a88db2419d715497a541bd02d487e183d4048", "type": "eql", - "version": 308 + "version": 309 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", - "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", + "sha256": "45fd633bec3aa011ea01f6d351e3e2fcd06bad30dd1ada1998a933e7fa819751", "type": "eql", - "version": 4 + "version": 5 }, "c55badd3-3e61-4292-836f-56209dc8a601": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Attempted Private Key Access", - "sha256": "ca0b00b33c8214c0a733b6e9ab2291c4a4e2bc92103a928da8778c792f66d428", - "type": "eql", - "version": 7 - } - }, "rule_name": "Attempted Private Key Access", - "sha256": "e6610e9bc8709d63404f439099e2274b94e6feaf5c4d781d3cba8797f41bb218", + "sha256": "413b967819d04045182bf441734756bf08b4f4196d2795d2de10e72cdeadedf2", "type": "eql", - "version": 108 + "version": 109 }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { - "min_stack_version": "8.13", "rule_name": "Unusual Base64 Encoding/Decoding Activity", - "sha256": "0a148e281a7113c56b07159b06c263d44a96451217b4ed1cfb60d2187f87efd7", + "sha256": "48fc6f4115824391458d5b90d7118d71ad2e32e87ce1b1910a64290767ed25b0", "type": "esql", - "version": 1 - }, - "c5677997-f75b-4cda-b830-a75920514096": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Service Path Modification via sc.exe", - "sha256": "a2d3d1147504ad2b3c7930bba24c2055e523d84b2feeb737211417cb72d8eb56", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Service Path Modification via sc.exe", - "sha256": "4b544e89f0c85e979ed5572561c0781ae88708e037117d8963541ef94eb070ec", - "type": "eql", - "version": 107 + "version": 2 }, - "c57f8579-e2a5-4804-847f-f2732edc5156": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "f23375e5d2e676c1e1abe448a171c858dc5ad2300e66ef5c599e7e8325cb3390", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "fc5dcf6dd48339a257eefaebdb911d38f7a3a6bfd632423bee74a204c7834344", - "type": "eql", - "version": 210 - } - }, + "c5677997-f75b-4cda-b830-a75920514096": { + "rule_name": "Service Path Modification via sc.exe", + "sha256": "68d02dae09181510d0735a66666d78e0c14f7192c8e60065aab743cf1fed3de3", + "type": "eql", + "version": 108 + }, + "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "71cec7c47c2c7d46230f68fe874142b0c1e36dec0aa4bec9023d29d4c4f23a15", + "sha256": "a795a0b3eb0b959a2a21561b09a36097e65626b939ff18fbe53a213be1942f6b", "type": "eql", - "version": 310 + "version": 311 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "ae48749a0c3d555094e1e400445796ffab2c7a22025f4ec856e582107747e9ce", + "sha256": "155bd7ff5163abb1afe509cc0739b9243d99ef4e900d35f2e8e756675e137035", "type": "query", - "version": 105 + "version": 106 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "7e9ee856f86f121f008eb8a3304b4955828d5b4d5333a47de3f36d478e0562e7", - "type": "eql", - "version": 109 - } - }, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "0fc2faa2b6a15a4dcf2d5aa403a414c13d8d9f33fc943f74616e6d4f067d98a8", + "sha256": "eaf25862c9bf125c65589fb0fb0c659c8012700145ae890be2a7b03c259d3206", "type": "eql", - "version": 209 + "version": 210 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Installation of Custom Shim Databases", - "sha256": "e23bdb57b42ec1bbefbace5a408e8ede22db9bd8be59fae66e1ed6803db76173", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Installation of Custom Shim Databases", - "sha256": "5a38f511fb995bba2a90739bb1fb7a241b0db108f50e9c84fb52f75652a1ab64", - "type": "eql", - "version": 210 - } - }, "rule_name": "Installation of Custom Shim Databases", - "sha256": "322920ea0c3accf1a5852f8ffd6d3e8861e45f262314f49ba54569768ea085f9", + "sha256": "c57de02e0312120013f3b35ba6089b89954c8eeb296a8473c66a7d37e1bdad10", "type": "eql", - "version": 310 + "version": 311 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "4daab056bff3e4d5ae1ad7c4643448ae6fa836f83f095a5cc615f506cad68e8c", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "9a5614b3e8f31ae092611d49189818157e18dda6ceb19becc0f624b2a81938ff", - "type": "eql", - "version": 212 - } - }, "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "ecf12cfbacf7d550b987fe63d6114222e641aeb764b32e4823d6c7712bc2c185", + "sha256": "9cb6d2c7eaf7230f2ce8b4ca744c4ec0f2af15679c1260845be87a1c67d7b611", "type": "eql", - "version": 313 + "version": 314 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "693843ef15d63ac5a1119459660ea9638b60f814907ca37f1dad377b7ee0e382", + "sha256": "44964f1f76958f71511ca53492443b0ead56e8f4c1b4b7714d7f7bc8405ef1fb", "type": "query", - "version": 103 + "version": 104 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { - "min_stack_version": "8.13", "rule_name": "Initramfs Unpacking via unmkinitramfs", - "sha256": "e0db18142f2246b20e8ced81755abfe720896bdb3f739e08b18c4aab3a6a9f43", + "sha256": "4b9618fe9be661b140ce9c3fa6eddaece5fa772c37c83e4ddbdae34e63d7a36d", "type": "eql", - "version": 2 + "version": 3 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "67e77129c5ce0eb04df88c0d64d4f387ef1de59bc03f8d9e7eb11e9c050cd0c0", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "8ca38e918ccb9a3bebd448356f11e4ebbbdd1fde86f8cf71f7b8c36eedc5ae79", - "type": "eql", - "version": 215 - } - }, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "d63b7af246369d52debf0c9e1196c9abfa1b1d3b7b127b2cb53e0bcf7587d0d8", + "sha256": "f7b55ffc96a8a14f724488cb8765c8d5f7f8e5ea016b9b66eb9d8df89e751b95", "type": "eql", - "version": 316 + "version": 317 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -12056,7 +6978,6 @@ "version": 100 }, "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { - "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", "sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3", "type": "esql", @@ -12065,128 +6986,94 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "16dde6466f20cbc871b8fc349b4b46bb900cb9e48a0fd8eff6d2b4d73115074c", + "sha256": "1590b91d2a310db59d4be78dd783b99ca002164e41bf4bda055a579b5997a418", "type": "query", - "version": 411 + "version": 412 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Attempt to Modify an Okta Application", "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", - "type": "query", - "version": 310 } }, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "7079d9fbf68d6f1ce6eb93ce13bf93d12eb165900aa50027e2212ef5af7dd8f5", + "sha256": "647b6150d46ffebacbc7c94ffc91c209d7486c4e3ac86878d2d565ba13f0600c", "type": "query", - "version": 410 + "version": 411 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", - "sha256": "ae093385db6c5f2043d8896e3231bad2eb9b222c41d58547015b4fea67e75a0a", + "sha256": "77caa22057265ab8e0e08aa1f6e45194a13d799d554e991173dd4727feabed58", "type": "eql", - "version": 3 + "version": 4 }, "c766bc56-fdca-11ef-b194-f661ea17fbcd": { "rule_name": "Azure Entra ID Rare App ID for Principal Authentication", - "sha256": "7f59a80362f46d096681439f02d9aa46ace84ac2426f550b434733c6b1308ce6", + "sha256": "c81e8f570b36fc2e7eac006c5013a73487bb1e2b5246a2427d02a13f163e4ff2", "type": "new_terms", - "version": 1 + "version": 2 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Unusual Network Connection via DllHost", - "sha256": "1cd890b963ab7a701f5a6c45943d20f22cb173ff36b6ca80955b13239be44860", - "type": "eql", - "version": 108 - } - }, "rule_name": "Unusual Network Connection via DllHost", - "sha256": "dad569a0e953afbb3adc4424aa091610da67d623add251f2f923f920cdba014c", + "sha256": "e7371ea07e32cc452af83c45fbddf9ab5aab3f347528de0fd8997805c763e816", "type": "eql", - "version": 208 + "version": 209 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "c02bd45f7127af6e3e516d36e39ddbf02d871d2d11196309d70a1b09b8e4d618", + "sha256": "de087f742b07a73ca37a9dd1e2cbcfd964b575c3b06272aa820cd747ec663828", "type": "query", - "version": 205 + "version": 206 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "a3a91a39decef3a359f4dc95bc8be0401664ca49546b526ad694a3154ce425b6", - "type": "eql", - "version": 112 - } - }, "rule_name": "Unusual File Modification by dns.exe", - "sha256": "5055c42206d7d3df32f4241bed3b12ec940e263d0cf696d8de05ee4a4b71193a", + "sha256": "65c76f66dbe4281743cd66e5a20a5b751a2c2ae1c0f5a4aac7c4606fef6bb32f", "type": "eql", - "version": 212 + "version": 213 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "7e12650d2a7699b7d95e3bd4ed1a6ecf73e9dd59f940d81fea5fface3186e1a7", + "sha256": "e93266dd5b90875257fa5e902cf0b66f97b7c083f726c9c20e9bed33519f1fef", "type": "machine_learning", - "version": 106 + "version": 107 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "7b938e8a5930231c6667e1dfb87fafbc50238e0b6a32759a79dfff9a24132c45", + "sha256": "8d79be44b5c0b7c7e64b9529e924dc03e0871fae709ec2171918e7ee840f5471", "type": "query", - "version": 108 + "version": 109 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "9ee8e6d69ebda1834191eedfbf0049afb38007ac2ba4e7e9899fac953921aca5", + "sha256": "60a4a2128f08ca893da602dafdbcfdd3ee5298a868f4c7ccd7743278b2872a7c", "type": "query", - "version": 105 + "version": 106 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", - "sha256": "0f889695cd8a152f7eee793851dc230ce7399798cd8ef6c49709ef3924b049f0", + "sha256": "a8ebfee5f22f77f59e118ef4464a4f4433bda8d02ad4471c7a579efa864f888e", "type": "eql", - "version": 114 + "version": 115 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "ea18c1e7446051bed3554cc614f300bd88307747e1963a329a0971f9ec41562b", + "sha256": "0ffb4419e58ea0570521ceb4adc2f18877fcf1268ae42ff67aa3c0d7dc5e1892", "type": "eql", - "version": 106 + "version": 107 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -12196,92 +7083,57 @@ }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "rule_name": "Parent Process PID Spoofing", - "sha256": "0dc688321ac70be1762f4deffdd16b19f17b750ce8b9dd956b7aa04592517439", + "sha256": "18dd894d1e0202622b85047ba07b4b40ad322d9e8fe29889b16a0b4e337e2e75", "type": "eql", - "version": 108 + "version": 109 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "97321613219e385f7acbb0881364252165707eac788a1480b73ddad510b2c2d4", + "sha256": "4fb255a0ff108d17311e170e7f81f100c406aee9ee127695ef4218672592ff65", "type": "eql", - "version": 12 + "version": 13 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "b02f2bf5fccfed2accfb810dd6c38be499cc9fd52c4d23309848eb8170f374a8", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "c33b3be4b6a67c4dae7fba0831280618a7986cfaaebd4795ec7543db5a63792b", - "type": "eql", - "version": 214 - } - }, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "ef305abdbae7d8f1ecfb6ca40a4142dd81af12b9b5cdd154e063c7a98a5d8589", + "sha256": "2d9f545bfac7aee1ea38651b3db7700ab3574efb7b2deecef99d4d84dbea4a8f", "type": "eql", - "version": 314 + "version": 315 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "e9d9ba83d54f62f31234ba17fcc63773d044a09d7ccbdfb8a1a86e2031ae84a8", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "8e261fd99ec8e3455388206109e90213fa0b5ebbcbdfc02b64bfa47746b86c16", - "type": "eql", - "version": 213 - } - }, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "5e0e2e0eaa91c13f7ba154969ad792a7747c7a6c7ba3ea9093aaaf1d4d0ded69", + "sha256": "0f1e8fc31dd4402875dfdd831131857f49b3cb63132a36830d645f3fd4456e03", "type": "eql", - "version": 314 + "version": 315 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "5532545b1d0648dc1414555d4be90a43ffb80fef68bc1f2e63af6b28990b4556", + "sha256": "bfb100141081dbb5b23bc7bb4be9aadac948aee1e5660ac97e10031e9e6c3cb7", "type": "eql", - "version": 7 + "version": 8 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "99ae1a62762bf7d0262c79b33658fa930f597568a1ae9fc8331c333dfc91bbe8", + "sha256": "cc40f7557b619c20a993ef46dd7b17fa103e74bae9608ccdd499efb61aa5b88f", "type": "query", - "version": 104 + "version": 105 }, "ca3bcacc-9285-4452-a742-5dae77538f61": { - "min_stack_version": "8.13", "rule_name": "Polkit Version Discovery", - "sha256": "1daa21e6f3922e8216a3796c9b65d303920190bb2ffd847324cb55eff3517452", + "sha256": "a1aa534e7609aa75d1d774e6fdc6ce0103baf709710d459ef76e10baabd1c106", "type": "eql", - "version": 3 + "version": 4 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "f9d687c9e6c694138baa5bac44dcc183c2cb70c69a7580e14fd4188c01bedbba", + "sha256": "dbf2c7a7950cef5e0c8c5da97ea355d90be5de15e8e691d052c3e52fbe341020", "type": "query", - "version": 207 + "version": 208 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "ea099bf7bf302aa4eb27d5adcc8c2e0187e538d3b042ad83abdfaf4e869b5e3f", + "sha256": "4d4a261ac62f1ad69fe8e45c32d47574d73d96f4ea277e7a6659a3097ba787ad", "type": "eql", - "version": 10 + "version": 11 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -12291,21 +7143,21 @@ }, "cac91072-d165-11ec-a764-f661ea17fbce": { "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "17830a8c24378fb8ea0b2c0fd6b002089e0761f86d47ae0af127d74ec05489a7", + "sha256": "317e8ed377eb24f0bfdc3d729ed408a061e539ca89a6bbbdbe2ef5554c821a3b", "type": "new_terms", - "version": 215 + "version": 216 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "9cb65197a2a807ee18542e7b91472f606e5474f4bddf8b96b4ae78bf72a1a3d0", + "sha256": "96be8a52587c138e28212eb60040122180b72ad4429fdda89ca97b336387c917", "type": "query", - "version": 208 + "version": 209 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", - "sha256": "dbf5167ff460dda688296a49e1d5d48d5f1d0f19ca621f413100a1cbb02eedb5", + "sha256": "de04b212d84afcdf96a74f9863cac14695bb61a761b9721b54d146e273f321d1", "type": "query", - "version": 107 + "version": 108 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -12315,33 +7167,19 @@ }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "rule_name": "Attempt to Enable the Root Account", - "sha256": "b89a2b2d3038c777d4599aaebf7e06253ae8c022cdeee090402de4e373b22654", + "sha256": "16b0d3114254d27bbe44fe8ce3cacf6f04aa4d3a899b20e052e1ff710f2138a9", "type": "query", - "version": 107 + "version": 108 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Multiple Okta Client Addresses for a Single User Session", - "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", - "type": "threshold", - "version": 2 - }, - "8.13": { - "max_allowable_version": 203, - "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", - "type": "esql", - "version": 105 - }, "8.14": { - "max_allowable_version": 303, + "max_allowable_version": 101, "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", - "version": 205 + "version": 3 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", @@ -12351,47 +7189,39 @@ }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", - "sha256": "c81d5f537f0a2c406763b42d4ef5ef5a4bad745e4d41176ac84c5d34598e6c1e", + "sha256": "f96fbc507831ee383d5aba6dc23368580577fa8db5f2b9b96e30d8637df2d617", "type": "machine_learning", - "version": 5 + "version": 6 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", - "sha256": "8457814fe9b8ebb61a453ee3027bcd060740b1a39f87c180f5897bf3d8fbc861", + "sha256": "22b7548c81f0ed23863d9ab1db3c97d841dbd6e50980d50375c8acdd261a2a34", "type": "query", - "version": 107 + "version": 108 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "0f342ddaebb8be170f8947b26bbf9976454a9609a3fab69ef43946340d965b1f", + "sha256": "b45b88597c5f41272e1a9f367f7a4fcb2bcfe93e2420e108482fc5dca3dd926a", "type": "query", - "version": 105 + "version": 106 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 309, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", - "type": "query", - "version": 312 } }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "e077043096bb995208ae7655f2088f680ac0954e54eef38a732a21fbf54027d9", + "sha256": "87d9073072570535e42c78de5197be360faf07af27a71df53d97c788135ab744", "type": "query", - "version": 412 + "version": 413 }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { - "min_stack_version": "8.13", "rule_name": "Azure Entra ID Password Spraying (Non-Interactive SFA)", "sha256": "6c701e58e1612d0491da0b3b77e57b49ef3688848d3a1110cfa3ed6f1210f903", "type": "esql", @@ -12406,25 +7236,18 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", - "type": "query", - "version": 311 } }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "690e620924cf220b5b56c70024faf4279be53fcb1832f317bd52fd6b70db9705", + "sha256": "d26a0e15cee5125bd0609727b6b3466cf97483d31f391851e77e6df3bd5226d6", "type": "query", - "version": 411 + "version": 412 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -12434,145 +7257,83 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "70003b5b25514505d843dd9aee62ca085795777f69e03784b7df399a89f5832f", + "sha256": "fe70d9588bd723020455f5f5fa9a058975b89ac60ad613245881451906ce55c9", "type": "machine_learning", - "version": 105 + "version": 106 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Kernel Module Removal", - "sha256": "d72671bd3bab4e18d0837fc746481567bb678e23b73c20159cfbcaa361b9912c", - "type": "eql", - "version": 111 - } - }, "rule_name": "Kernel Module Removal", - "sha256": "838080c3b478f8de7d167a575f607f38e06a9411041e29d5a0f3c8be72f1f054", + "sha256": "12c6428f25fb80e5262b434aa320d3967d7a932a89e1479d48238ffc4f4c1191", "type": "eql", - "version": 212 + "version": 213 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", - "sha256": "4ea12333f42f437aa58e54d2644f3646936a8a5f93c6814a0ed2c67dff925da5", + "sha256": "e1e22d875cf9882ea60fb4f187227061c3018296fa8d5212781e842966659b32", "type": "eql", - "version": 4 + "version": 5 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 310, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", "type": "eql", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", - "type": "eql", - "version": 313 } }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "f642652974fc308178cf8b88483c24d61cae898a7b3b2f9e3254e4dcd182cb40", + "sha256": "731233eb6532a1950765586c4da2b20469cc887e6ce10b531f9629065e58bdd4", "type": "eql", - "version": 413 + "version": 414 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 309, "rule_name": "Okta User Session Impersonation", "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Okta User Session Impersonation", - "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", - "type": "query", - "version": 312 } }, "rule_name": "Okta User Session Impersonation", - "sha256": "3aa673f1c0c34cebfc6e3e55a3be648b570843086b6289d22c44ef3c70ff4f0d", + "sha256": "49290b5d15db111ba6e47fbc4647d92b0ad2fc0a32fcb0a2423011357494dbe9", "type": "query", - "version": 412 + "version": 413 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 110, - "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "a02aef3d53b50e1841dd01ee25f506dc63a897f003265f8678ef3f82fa618670", - "type": "query", - "version": 13 - } - }, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "ab4ec07b2bdd59f75529ab2b6f8e58098bad8f3f8a08c9e0b2261cf7500d3015", + "sha256": "271da71dc04f1010eb364ce5754f2c7a3683ae430311df7195bd66b7972ae841", "type": "query", - "version": 214 + "version": 215 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", - "sha256": "31811725296500b46a530f4167b50a90a1939a9a30ae575a5f1605db107c530c", + "sha256": "6e0b6acb39b82e9faa8ad82a12cbe0b2dc3795c5098fe2e77d48b83bc9084a3d", "type": "eql", - "version": 3 + "version": 4 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", - "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", - "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", + "sha256": "738e11ad446b5a83cb22b42945b260706c1056b5f8c27efff52bef483188223c", "type": "new_terms", - "version": 204 + "version": 205 }, "ce4a32e5-32aa-47e6-80da-ced6d234387d": { - "min_stack_version": "8.13", "rule_name": "GRUB Configuration File Creation", - "sha256": "cf29eec9c7946126d6e84a24c8c726e02c45cc182ef0dbc48dcb9b388761509a", + "sha256": "9d595f40499cc72da6c3709fdf71a203fddd9a1b11ef8be2f023f31c9a89e90c", "type": "eql", - "version": 2 + "version": 3 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "0d3af72ea1eb174dd4aa290ec7c8e3e240acb51358169eb0529e77b099a7dfca", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "3b3aadecba256b51549529cae3290f4a09328fef1f5fabd621ec318d51a049ce", - "type": "eql", - "version": 212 - } - }, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "d60cc4622721041fc7781551bd3d381428fc01276aa7e8a1055f90a75d27b878", + "sha256": "117d952e5bcd2c164962af88219378aeff64efbf8c1da73dbf3dabea0d1d6409", "type": "eql", - "version": 313 + "version": 314 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", @@ -12582,9 +7343,9 @@ }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "f9935260008893683196e7baade711c8c71a9faf9ece159608690d70c3a3e57c", + "sha256": "e99dc301a62fee73fb630e903c70c8548070df3071cae7bcea8ee2a230f2a16c", "type": "query", - "version": 206 + "version": 207 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { "rule_name": "Unusual Discovery Activity by User", @@ -12594,54 +7355,27 @@ }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { "rule_name": "Trap Signals Execution", - "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", + "sha256": "eaa28b7f8c71baf866712cf248d8f8b4111526a9f7eacae1f89a3d683b4b4fb3", "type": "eql", - "version": 2 + "version": 3 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "4f9cf9d0307112c1578c481ffc975559438e8151e1dfaf9597d21d7a66cea7fa", - "type": "eql", - "version": 116 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "b124bcc3b121f9136501c7d4ce5d1419c47a828e64480ae750e0906b25489af2", - "type": "eql", - "version": 216 - } - }, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "cb9333ce51666fab48bb330cb9fac7bda9376ec73b3a039aae1a81ad7a112a43", + "sha256": "29123cecbb9df40ee043d7ac6c3949bd7dd0847391c4881c5bdd0f4f7b93f4a6", "type": "eql", - "version": 316 + "version": 317 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", - "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", + "sha256": "b550e6d7b2adc9a8755324f1e6643b372a92d8c374fda50fbade8dfe08dce397", "type": "eql", - "version": 2 + "version": 3 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "0f000268fdc695dfbee160cd34e2e1321d37c12eac2a69d832aef01d5306655d", - "type": "eql", - "version": 10 - } - }, "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "e0b9b778b8c39963c3189778b579a80dba4ae66cc8cd73cf01120c8b0ffe0d27", + "sha256": "2c3ad4d81dd5ab991f6860243ef78ede43c23895366d447e9cd0bc92bcf17e2e", "type": "eql", - "version": 111 + "version": 112 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "rule_name": "Deprecated - AWS Credentials Searched For Inside A Container", @@ -12650,68 +7384,34 @@ "version": 3 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "4bb55e1f7ac32a17597deba9c24186c785abfcd6953b10305a596ff29a27dd63", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "c97fbd41a9b9ac3b79c7459e0bf3c636d1652d33043f7e530ccd2e038f258b18", - "type": "eql", - "version": 212 - } - }, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "0d395b1f9a4f028fc752ec37396aaea0a8b3896f2ac3318fe2edbd6daae092f7", + "sha256": "34191ec3d33f4d663071054a511f3ca9cffbbb925a2bfbcf697264fc8f64568f", "type": "eql", - "version": 312 + "version": 313 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "29b901e2e2a500cc3e5930938d94b49c5b7f44fe6564aadc087f290832d6d74a", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "ee54b6b3c0af6cbb6be3c7dd4c8f04d47eb50a579955817390e77e0cbc7eadd9", - "type": "eql", - "version": 213 - } - }, "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "8993357af0c7f71ea5a6211f75cf96089c4c9ec88913377fe9c9baf72aaf6e4f", + "sha256": "a4fa6279cb8ac2a13ac55785c7ba2d6748bd408d9896469b5a126ea561f8ff73", "type": "eql", - "version": 314 + "version": 315 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "232255e1a27a32df53f7b03d4a328673ddafc73b3d701b901c20ab79e1b5e28a", + "sha256": "753158074f3976bdc74f647b716f04e016fbdac165668222daab86e8a669859d", "type": "eql", - "version": 6 + "version": 7 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", - "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", + "sha256": "33bd527a750fda29b5480c117dda72748a391c83d695c92ca7282bef013f36be", "type": "eql", - "version": 3 + "version": 4 }, "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "rule_name": "AWS EC2 Instance Console Login via Assumed Role", - "sha256": "c4baae65ca422ef39a7b46b0def65701fd04eaaf1b938ab2d950984acde5db2a", + "sha256": "e764c602ea496d375b2316d4109ca5aa936049ea10464e2a4f17ee8397c0a980", "type": "eql", - "version": 2 + "version": 3 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -12721,248 +7421,150 @@ }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "95008cbe23f1fc8380e8181c4dac5e28c0ed9c9315589761e18569e50c4cde9d", + "sha256": "8939090aaadaa05ae89af695e1d1e2151452ea651f9bf671534760bc050eb84c", "type": "query", - "version": 107 + "version": 108 + }, + "d2703b82-f92c-4489-a4a7-62aa29a62542": { + "min_stack_version": "8.18", + "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", + "sha256": "6af539d1a1901b9397023a322186941933974f4ede39a83b4639958216815645", + "type": "machine_learning", + "version": 2 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "b4d0f51e31276b87a2d2f365694f02f3826550163ef41d500b69e5a188479123", - "type": "eql", - "version": 212 - } - }, "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "daa4ee75ef9d319d9fe60c708f314fa2358cc48334270374e0b5c8222d5352ab", + "sha256": "ab1e2c41e83ba93f5ec9b9f3c8ac16f61367c771f6f4abf5081a1f1d8b423a0c", "type": "eql", - "version": 312 + "version": 313 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Clearing Windows Event Logs", - "sha256": "43df104be9f108fd08b8d71599f09bd2a9e4f98e5df1e6d8b0c41786bf127629", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Clearing Windows Event Logs", - "sha256": "a10ce3920c7f51ff84dd06f0d4c83d000d591660132213cb6aa19fca1059919c", - "type": "eql", - "version": 215 - } - }, "rule_name": "Clearing Windows Event Logs", - "sha256": "400229c7fa25221d2fd2db218ffe282f8d4d597d85d9cf9cf783ce03e28a1159", + "sha256": "2a085de8209f72daca0b30fd53664e043c5176dfa985aef71df3e5077be22176", "type": "eql", - "version": 316 + "version": 317 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Remote Windows Service Installed", - "sha256": "1f3ebacad2b755fcdf9e30e67395eb3ae6c0947abedc632542b5b4eb17039d93", - "type": "eql", - "version": 9 - } - }, "rule_name": "Remote Windows Service Installed", - "sha256": "295c3ce74dc2067ec71ab0fff5dac7193d4fd70509c1e5281c190b6af90aefd1", + "sha256": "d468dc445682809a0a8c9641ed31494c4efe288793dc26e3753af0b84edc33f9", "type": "eql", - "version": 109 + "version": 110 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "5a91c133bc777a7e2499b024f42ebe1be6983609c8f38e00a4d81924dc72acc8", - "type": "eql", - "version": 5 - } - }, "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "aa88ac4bf872c3c3928d2121657a6b88338d937fe1a3813231c8f20a5cf966c3", + "sha256": "16399edc8a9fe5bc74a0dd86a31391a4303e4d5b2907381e4740e2ec22fbbca4", "type": "eql", - "version": 105 + "version": 106 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", - "sha256": "d3c22e7edad44df7543bfb8c0d84839b41b82786b1de1ee5c05819890a61a13e", + "sha256": "ea44e7c45639646c0f5afea36e85f87dbfa7d0a0cd434dbc6d5af8ef7ff1f098", "type": "eql", - "version": 109 + "version": 110 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", - "sha256": "01c816014f421370ac32bb6369f8a83bc036b4cc7a1f817e5f34eed99deaaa01", + "sha256": "1b5f1c4e9c160b09738959ad464afcbea5ed84ce2d36eda8a9863ec747c6f2ac", "type": "eql", - "version": 2 + "version": 3 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Attempt to Delete an Okta Application", "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", - "type": "query", - "version": 310 } }, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "90f5212b5d6f828360ef355e1f922212881b33016383d2d9c78719cd37ed1639", + "sha256": "7fd97a6d16b2f196ff002868f67ce2d17332792e74235f415f84980cbecc93c1", "type": "query", - "version": 410 + "version": 411 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "6ad7ede3c52ca6d191275bc53d5af195bd6c4bac16d37b2a0d2c8431ae4a33dd", + "sha256": "6350cb52e1f9a7474b743ea8a49c8835573160720c9b65e3ce6e5bf25485d134", "type": "query", - "version": 103 + "version": 104 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "589f094b4f15686c52f3a6b3e8d0b26b2f6bc93446f91d37f0deed5dacbc30ca", + "sha256": "d856f5bc791ad881ae2e422fd298fc90902f2928d5fb89d126fe3fbf155decfe", "type": "machine_learning", - "version": 105 + "version": 106 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "526a1d698d53c469d024aa72d1d2b07ea56ac34aa51fb0104c5f69fdce70948c", + "sha256": "1002b1c17b431e49e3e235d8b15c84468824a76d7c5dfaea4cc8f90cafe26f31", "type": "machine_learning", - "version": 105 + "version": 106 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "3ac7fcb80411d506306b5e742ea93bc2592f558ea93ac74f82e98b6453cf1094", - "type": "eql", - "version": 7 - } - }, "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "12f7f9d6ea55e9ff587c8130acae50e3081e10e1ee41b58149e1a4cb74d2eb85", + "sha256": "fec6a0fa524575a41ba86fe848bb8fc7e9c103ac839a72cda6b2066ad75c6625", "type": "eql", - "version": 108 + "version": 109 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "c72111177dc1c97186e853f7c03b41f573c7cfb81a533dc0f9156381a00a5cb5", + "sha256": "9082be85ba93ddeec1e89ba8a3fc75dcf1ac8aaeba7127d029e4fa7ca48a8a85", "type": "eql", - "version": 8 + "version": 9 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "17e9577dfbf339f5aa680ffac330813882588c59f8cc0f4d73bdc1865b72df9f", + "sha256": "bde7e76a0841721264382a3359a2ff7d8ffa73d5adbb7888ab65b49c63057296", "type": "eql", - "version": 5 + "version": 6 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "517d28ddbcd9550ac85394cdac2cee0844bc448d4be9b4e4aa81be52e1275002", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "76d7e76f6c26a0e245b833dbed9be07a49f80004d68992ad351a789ab93f06d6", - "type": "eql", - "version": 209 - } - }, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "60b8eec12452b573096d484a711a30dba4b444661e967528e029b47d6ee84f62", + "sha256": "c6567e2b9b097b8c88a70182f1a3d3e18b4f548a5882956238790067fc1acb6d", "type": "eql", - "version": 309 + "version": 310 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "457f9745d44991b7dbff97c8032d25b5f3d5c631adb8dc0e909ea948b837ae41", + "sha256": "2f4ecad22e3439e40d872ec6622ef847643a5b296c87bb2da5026854babd4a0a", "type": "query", - "version": 411 + "version": 412 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Service Command Lateral Movement", - "sha256": "0d07056086afc2ae7fc3933f654811d9b31cbcf86939f52cea27261c807c0b8c", - "type": "eql", - "version": 108 - } - }, "rule_name": "Service Command Lateral Movement", - "sha256": "e767e2798904e06d27a494fdecd4eec49bb912ec8b0c6940d3992927ef6354e1", + "sha256": "364e0e90aaf611c022c4397d51f9b8946415f1a861b48d5a08ebb218ffb0abed", "type": "eql", - "version": 208 + "version": 209 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", - "sha256": "6649690e0d48f4463fd9ea9af37d65f589e1c88723ac705b63965957e8021ebf", + "sha256": "6f40b41de80d42bad45d272850576b66118db1fa6654c09a47a6249c3004ea57", "type": "eql", - "version": 4 + "version": 5 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", + "sha256": "6d58ad5eb89fda1ff2f19018d0aca2f560050a01c42ffe92460ba52ae49fc5cd", "type": "query", - "version": 209 + "version": 210 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "bdfafb9c68e9892fa7b9ca7598f201f97e7939ca8ca8c33ffc98baa5c1c46cdf", + "sha256": "44cd3ade23e797d60feb1b58151d8cda1f5762e043c6f92ba9beb586f21181a3", "type": "query", - "version": 106 + "version": 107 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -12971,259 +7573,124 @@ "version": 100 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 113, - "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "272699ab944dda3fb2374c7f0cba8b4585ace10fee2a21b12b9c6215519c3c29", - "type": "eql", - "version": 15 - } - }, "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "a8b94f958358ecb558c04272526096c255c70adfcfc23e85dc392fb9523b761a", + "sha256": "80a57f989c5ba72872a155815ac64a7927ed2bb48bd3b42c423fb64bc1228916", "type": "eql", - "version": 116 + "version": 117 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "64a63407de9de164073767409d81c4ad49dc544271236c164345d1a626d94c3a", + "sha256": "2ca84c125e2f7b43139fe845f2f9c3c21078b72aab62be3a9110d77ae7438692", "type": "query", - "version": 207 + "version": 208 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Modification of WDigest Security Provider", - "sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e", - "type": "eql", - "version": 111 - } - }, "rule_name": "Modification of WDigest Security Provider", - "sha256": "b9a559838a1a99dc2394f88550d8bf2acd150203179bbe5aa432e9d0d8569049", + "sha256": "221929268d5d76c2d02c7e67c51e7e8569e66ba2086a2311e0a26844195b2348", "type": "eql", - "version": 211 + "version": 212 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "cc15c76a2369027ba3e6633b87d7a3839f5365946de2dcfe4ec1b82a982e4641", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "2a7761657cfa115b0d73fce0563817e7b4a07b1c776039e0570d60c26f45b79c", - "type": "eql", - "version": 214 - } - }, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "9f589cbf31fdc71f8e4c57f7cd8dc4956c30179ae4df20fba67d41e87e071ada", + "sha256": "be5cfbaf3f14fdc6b141a2da1ba75ce6fd4f73cd5a034cc56495c307cffec29f", "type": "eql", - "version": 315 + "version": 316 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "641ef2451b1987a3e9cb28358fcfd308d956ef099cab89e13168b853db4d48c1", + "sha256": "7753db2eea6710433d8e516034d1ad3e10f9665998fc63eda0e7fac38eaf8d49", "type": "query", - "version": 207 + "version": 208 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Suspicious Memory grep Activity", - "sha256": "be15becb96ba5f7d3bbfbb8d336acdd122a95f155d4235a4e3941eefa4d8fa70", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Memory grep Activity", - "sha256": "b32fe770424c2bb1f42c024250666ed6908c7309fc3bb52716853793ca7deb49", + "sha256": "9498dc0bbf5a8874168de36c387041aaa159b6d63cbe54c86fd0483d6f69ffc5", "type": "eql", - "version": 105 + "version": 106 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", - "sha256": "4c5994d232095f98e72abc6b0a4ff08477e6c845b50df9de6e6ae92745f25835", + "sha256": "2988d34ddda441fe4a4b88cb90d7d411968ded85b2b2494470af9d7e620da3f4", "type": "query", - "version": 207 + "version": 208 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "aa0975e7620cba81ba4d6b2b9aa05da8913d3f309cb4803fbff2ac88f7d9a4e0", - "type": "eql", - "version": 111 - } - }, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "b9ec78f42bbee517ba762cc989682ed667042fa1dbbf00a51d635480508b7d19", + "sha256": "8811c39c35e4b6c052e17cac45d0beed552fc6c1d22b19f1a9f1d7ab8531d50d", "type": "eql", - "version": 212 + "version": 213 }, "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { "rule_name": "Python Site or User Customize File Creation", - "sha256": "62541c951385c527fe469fdbc9ae9791a101d3286ff2a6b2524ee63951e31599", + "sha256": "dfddf9feef64b9a41da72fd362a26321a45456fed11420facba72a5a9d821b96", "type": "eql", - "version": 1 + "version": 2 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", - "sha256": "b6f7d9e1c6d3053f849ee87cdd0567aa3e046fbf9c1400a060021426261838d2", + "sha256": "c98d93eea336ce6205777f449eed6bfd33abf038146dd1f87c45ab7cefd14258", "type": "query", - "version": 105 + "version": 106 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", - "sha256": "e6d5824de70c85d84e7bf5a4158c0893db7265f5bf6a4310aadd7a4cc1806bde", + "sha256": "0bae75a43068e3d724f8d1ac0152ed8cf0acaa0ad5f0176618d0355340d37aef", "type": "machine_learning", - "version": 105 + "version": 106 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "dc4aaaebbe30ceb017d1b3100fec840afc7c916a2519037418a91ea060b581ea", + "sha256": "d971cf7bbec2f72915f427094136083e496ac965e48c0afe7bc8524784702f52", "type": "query", - "version": 106 + "version": 107 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", - "sha256": "9d627c046b1d969fa3cee29c64c2ede631bd7c2f11e2d5b0195467910718d443", + "sha256": "30b26c87085b90ec42c4df57678a049026e6e4b3fcda21236d3488c15582e2b3", "type": "eql", - "version": 10 + "version": 11 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "45efd7d53f83838ba357aa1bfb387f4c2489612adc924437d1f1953cf68c6d7f", + "sha256": "38c6d7b6cfa4aa16d60be7b4d72e0615ac60e0e9f95c54313d98997dae0ebf43", "type": "query", - "version": 210 + "version": 211 }, "d93e61db-82d6-4095-99aa-714988118064": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "NTDS Dump via Wbadmin", - "sha256": "0ec890060837395012ad0a162820039feccc988f8395fc1078f45daf4bc7abb3", - "type": "eql", - "version": 4 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "NTDS Dump via Wbadmin", - "sha256": "021063dbb016001657028d480f2e2a48e6eaf2e544441b2ea8dd23cd9fe1deb7", - "type": "eql", - "version": 104 - } - }, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "2d9145c7d1b3795172c0ec1ad4721ccc4055fe6b14d51880f6dd59c2e1498e5d", + "sha256": "d0b2bc419679d9286796d3a66037207d62902e4055b129a79858b59852f1cb77", "type": "eql", - "version": 205 + "version": 206 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "9b8ad5964185c38f5bff7a86e3f4cef521ba3f743dafbe475f84111b6c97c473", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "88280b0f1705bc61a7d02fd3670dfb3d6b3364732637b21cf99e9543d1a98e05", - "type": "eql", - "version": 213 - } - }, "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "1574ae43ff903032be7747f88500fcab7396be626f95da26921145560ab5d488", + "sha256": "494b7da88fc5d6c219aca8cee782a27dff130484eef06aab786146e58ebd2187", "type": "eql", - "version": 314 + "version": 315 }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "fbe7d02b10b540aff7b825dc36b8716bf16c7de4668ecbad5001a3239c6c5166", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "8fd732f25e901ace558a167c84fa62b658c0f38ab260059e37ffdb4d690fb45f", - "type": "eql", - "version": 103 - } - }, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "bb3b92db48376983d30d61f54bdabb41250c33883d13ac5920d416e91b08a827", + "sha256": "0be8fe7e3c4ba21ee47fbbd8f1a5d1cbc73daca022c05caab0ef900e29994edf", "type": "eql", - "version": 203 + "version": 204 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 110, - "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "fc23e41a7d22a46223a5b1ed558336101405e6adad108127504e440c44d82a19", - "type": "eql", - "version": 12 - }, - "8.13": { - "max_allowable_version": 210, - "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "9d490d625ede5483e6874408d935d1e8ae2e654bf38990bd8ec90cac8d61e7e4", - "type": "eql", - "version": 112 - } - }, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "0ac7d1624e694cec67982400a822b5692087df342748f9d9b10eebc1de8ffe03", + "sha256": "e1ad0a26e85539ab019b057014df784c143b65894b744e2c58f1ebec3d8e902b", "type": "eql", - "version": 212 + "version": 213 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "6f132baef5851efd00f760a31aa6cfdd4a68c0bd286f6abbf8cd245ebc635745", + "sha256": "636be48736d1fc5c1023b5e1ebe4fb3d03be923e8f049de7990cea48d1551b44", "type": "query", - "version": 6 + "version": 7 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "Suspicious Service was Installed in the System", - "sha256": "9a42aaff1236e24c34e84e08efd9a7e42009c0c63b347d4fe373822df560b886", - "type": "eql", - "version": 12 - } - }, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "b047f4e0b3115a5cae6311130cf82c3c278d25ed4dd930e2f697a0d9d9e7f0d0", + "sha256": "515cacb66d212f2083ea6b28972bc51a0c9167be27f0d0f84638b314049ae0dc", "type": "eql", - "version": 112 + "version": 113 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -13232,110 +7699,46 @@ "version": 100 }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "6d19402e85f66e45583b1eeb0c1b22e5641e069db1d10342a0bde8f44b0fae5d", - "type": "new_terms", - "version": 8 - } - }, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "7e22a1c442db7cad59d546607a489f1c7050f79fd38503b21f27303ba5241f7e", + "sha256": "4d68fe24dd0d301c1e923372d847dbba0bf64c745c110c39d6eb37c633173043", "type": "new_terms", - "version": 108 + "version": 109 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee", + "sha256": "2d9632002d649b472a5c733c0f47ed0f56bb23e1709525d6d93ddbfb119b22a3", "type": "query", - "version": 105 + "version": 106 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "f070b0885fd560dca726ee750baad0826feb31d8d40ccb087eb224a1ea7abfbc", - "type": "eql", - "version": 4 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "042a48825a4fad14bc7163dd1ec03c4495809a3b597ef85c391fa358b2abf475", - "type": "eql", - "version": 104 - } - }, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "6512a9d12fa4ef27519126e321762a291e72b255d30192405b4cb411001266c6", + "sha256": "8521413a11ba536084e345e3f1613d7fd496ad569a008aa17227c553e15e3fcf", "type": "eql", - "version": 204 + "version": 205 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "9aadc22b5ec9cea06ee0b9088f5ccbd36a3306d609eac169139751b082504d50", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 206, - "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "a02c1d8fea25864162d20fe9d56a7b95c9cb558593d39dd4b0dbe5718022ac55", - "type": "eql", - "version": 109 - } - }, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "029980f0576e49caacd25ad0de41f0b2408bc96f253c336d6cec15df9a3314ce", + "sha256": "a9671169c35a71ba384b845fd9765c7d89e1e98600a415f4e36f2647c7b5e162", "type": "eql", - "version": 210 + "version": 211 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "d51a9914cc58576ea6fcc57df0fb35de299f08b8acf0ff37597124b12b9862db", + "sha256": "a78cb90c7f0afb001831e03cd16a5cb52e24282352980bd0daf83fa50fbc9119", "type": "query", - "version": 104 + "version": 105 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "d4648bbfa3d971cafd0c2664cbb8da0fc57af62582278b2246e279b1c7dcaa2e", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "8690b4f17180de2e5b04b89a6a896c3a137fe7ebdd13e6982bfeee9fb2b135b8", + "sha256": "e498c1b47d7ba79f452f9c2064d0831a336c2666b3e012b595f05ed4028b10cd", "type": "eql", - "version": 107 + "version": 108 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Git Hook Command Execution", - "sha256": "dd6719030d3fe2a0ee69963aabd0b10598548861f0ca6a7ce968eb283b8a96f0", - "type": "eql", - "version": 3 - } - }, "rule_name": "Git Hook Command Execution", - "sha256": "3ad68272adbc2c5c4f5b945a065b67154c91b826cef8f120af822a44d62724e1", + "sha256": "6443cd8b3cfbda2d7a70fd612bca43a314b67cbc2397648e973451f13d05c47d", "type": "eql", - "version": 103 + "version": 104 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -13343,109 +7746,47 @@ "type": "threat_match", "version": 100 }, - "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "e16de17547f45513cc6097ae2c1fafc3fb841a3d7cd4876355dfdce3bd42d171", - "type": "eql", - "version": 10 - } - }, + "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "99b4b4a9e64fa970794d90bd46d37e2ad1f23280ede41d8a8de1841b6caf8622", + "sha256": "4db94576091206cc07684b6d0525c81be43ac5230ab521b61ac715ec94cf4272", "type": "eql", - "version": 111 + "version": 112 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { - "min_stack_version": "8.13", "rule_name": "Dracut Module Creation", - "sha256": "af7a3f72ed7f24e50bc14f940937bc9cf2bc1f6872e1d672d463b5165d85d1dc", + "sha256": "059f1216689ab35326cf9bb3737e7b909fdebec22c5b630abf28df3d2e12a1fd", "type": "eql", - "version": 2 + "version": 3 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "976ac05caaa7708302cfafccd5edd0af529b333c3550b12e398506b43b82e625", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "11d89db06537fb1ca446cbef23180ba0070a9636b860a6494c0c9fb2bb8dcbab", - "type": "eql", - "version": 213 - } - }, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "d4fcd570b5466abc21101a20f25749dd7c2c72e8392e316c2f2f7841c0b635b4", + "sha256": "26ae20aa5968e9f262435fe74ace17fb9288ff9ff0699c897846eb9c1c208d08", "type": "eql", - "version": 314 + "version": 315 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29", + "sha256": "da4cbf0c9c49d0017d6024802770daaa114775caf1b2166996fbea05d143f0bf", "type": "machine_learning", - "version": 209 + "version": 210 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Suspicious Execution from INET Cache", - "sha256": "40d55e7663cb9633996f2dd6c03729438145e69e0239b0e638f5ee1a40d4281d", - "type": "eql", - "version": 5 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Suspicious Execution from INET Cache", - "sha256": "35fcbc09ebaeca1f271a2a19eea3012efb1af8eae8ba0f4a9c6736dcfbe5d7e4", - "type": "eql", - "version": 105 - } - }, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "6a5c4edf3847efdf6dd62e8a6de3c4eb4741877eac727dd8af8aa473666167c2", + "sha256": "fffcf31bef3d24ead7f7bb3b63ea7317ef98f42f3d4fa08603ee2d0f926e15bc", "type": "eql", - "version": 206 + "version": 207 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "26b7b9e5fd76bd0fa239139c7322893447787d8462f784bd120a62794e64b358", - "type": "eql", - "version": 10 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "0d40357f250d05884f10feb5097cb69fa88c7a4549156688aa38a58a2e133b86", - "type": "eql", - "version": 110 - } - }, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "40b3e43ae452b8ba4364d1c4d0c6b7a79485a65182d891ec986426cc31129bd4", + "sha256": "29bff27ecc7b22548eff76aee34d753aab9506f5e9679c823203a88116f86d2e", "type": "eql", - "version": 211 + "version": 212 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", - "sha256": "3893d44e187bf13e2e0a5fffa35b36800a58de2f402432d79956113fb81f68dd", + "sha256": "c5e58b53df939293538e3efd32441106b18f08c9fac0f261930e3b2ebd2414db", "type": "eql", - "version": 5 + "version": 6 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -13454,139 +7795,79 @@ "version": 6 }, "dd983e79-22e8-44d1-9173-d57dba514cac": { - "min_stack_version": "8.13", "rule_name": "Docker Socket Enumeration", - "sha256": "542d6fce1df6a18b8cd0f22e854d01e313ac186fa85f51d79f48e57ab1fb5682", + "sha256": "149cce82433148ce029d90e16163afe91fbbd5c7a7d212750d165f7faee39d8c", "type": "eql", - "version": 1 + "version": 2 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "84f5b0cc9b45784f5f3268b1f1cd252e3e460a30225570b04bd90ed819e7cd75", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "c53af1114c332c599481a0ff4eede6a5a9b7a2b80284a201c3c7c5c3ba9dae11", - "type": "eql", - "version": 211 - } - }, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "e723d0b3254745f488ccac62bb67e6d2f069196659d17cf778fb42a524933135", + "sha256": "345ef25b94eaf7afb1dfb7f61c124b3d66e41677ee7daf2af9590dfdb0164a57", "type": "eql", - "version": 311 + "version": 312 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { - "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", "sha256": "c129a707d58db25a4c45591577570e807c1cda2be7e4167c44a922ada89b2939", "type": "esql", "version": 4 }, - "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { + "ddf26e25-3e30-42b2-92db-bde8eb82ad67": { "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "d8c2c36ac62b1821bf4164411d30ffcb97ae6b3ec8b2736dffe412305fa71633", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "f9398ff0b3917ee5a9e279f22d4c8ac753ec5cc7c514744cf5c102a23ce5e265", - "type": "eql", - "version": 214 - } - }, + "rule_name": "File Creation in /var/log via Suspicious Process", + "sha256": "cae1516dc1a068f2f2284cfdbdf3d349a65b44b039ecd235dd3b6ed582d6c262", + "type": "new_terms", + "version": 2 + }, + "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "8a6ba13f0dda67fe805dbee6d884a1189538027f029d6401919c7a92c9ed24ab", + "sha256": "8058b4f596b37cefc52cf3fb95fa1d733b08790bc436107045b3fc6158b578f7", "type": "eql", - "version": 314 + "version": 315 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "2110c27e62d99781d5a1189a8ed1fe2d6a400568585a8e6573fb473f783f9761", - "type": "eql", - "version": 111 - } - }, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "d096dd61e0fdd262df14f29f04e3818f84e1a5f4057cade79110ad3a929aac3c", + "sha256": "f5e956781dab82d481e1c191e5072fb081fdc35642565479ae6a5a74589b0eb7", "type": "eql", - "version": 212 + "version": 213 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", - "sha256": "de848b5e9c4cb1dbf61d805263fb3e9d70aed03a3de0e18b44698957c53aa130", + "sha256": "b5f0f72e6447ced9a66c345ae4f28a96d82114336517c32b52ad7e8e09e58551", "type": "new_terms", - "version": 106 + "version": 107 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", - "sha256": "6323546ce88a2062ab9b777768a0a4282ac1a74384c1f21449a3262202208011", + "sha256": "3c532319046fcb837e9e636b12fc2228f64068979187d2dae380b4db54b277bc", "type": "new_terms", - "version": 9 + "version": 10 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "92bb89bd0e84c9232dcf024b09b211d04bf914a34e8ebcfcc2700c0f9f4154f6", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "e7e813348ed80c496689f948ecd7de5edfefb9f63b906114a57bb6798b9253ae", + "sha256": "698b739a519f1247043c8a2392c5f1b69d8f2f5a37daf5f26c0ddd108ac9833e", "type": "machine_learning", - "version": 207 + "version": 208 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", - "sha256": "8fc27e74bfd62fc69cfb08bc0944fb02643fbb3fd3e9b84ef1e6b06e36ccba3b", + "sha256": "9dd6fdef678461381fe5ca9243a9f390260edbe650857120bf5201c3240cff0b", "type": "query", - "version": 103 + "version": 104 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Dynamic Linker Copy", - "sha256": "c129b0c687239213e54f4f95219e0ba6f09ce259ad97d16efe4789c56b4c1205", - "type": "eql", - "version": 110 - } - }, "rule_name": "Dynamic Linker Copy", - "sha256": "f1a290ca66fac0299d00bfdb6b2303033c974c4a184dd32b9ae3e34b3b7ddc78", + "sha256": "8746efd8c7a5db283a0c57f09d50c2b779a4c77f14d4c420a7ef94ab09871f26", "type": "eql", - "version": 211 + "version": 212 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "ac73d656120d73f8776a9afbdc0c8a63ba9863321b9153d9529c67e61651a5a9", + "sha256": "5b60c93cf576b5f6d248526e3f315e45a9a62f0cb8eae284eb163cdd272ed32a", "type": "query", - "version": 205 + "version": 206 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { - "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", "sha256": "f33b42f628062aaf94789a5880e98522fa684c465bdf6da024d16c74a4f02efc", "type": "esql", @@ -13599,110 +7880,56 @@ "version": 100 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 102, - "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "f14455fd6ea9bdc73123f4c69cb12843cfcbe7747b51b622198eb087bb953f08", - "type": "eql", - "version": 4 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "f7fcd4ec131f7e648b7fe8bb86887bfb768bd7bf3a006340a5e9fca5467205bd", - "type": "eql", - "version": 104 - } - }, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "2b622d8bb5228a5ab103d2c5197eab64a8c1a0977cbc0594097fe979c66d2034", + "sha256": "d5df0c7078e1f0cd8f44092a93fd16ba9330112396065569a58ad1ad44e75cee", "type": "eql", - "version": 204 + "version": 205 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", - "sha256": "8b63af67b0b77e5d770c49f6e9a9216ab92f9f7aba27fe58b2f87b38dfd3b24e", + "sha256": "4d0978b645653188ee76f1bb49ac3f4cbdc8def28285d7d0507c8e5dc14c34cc", "type": "eql", - "version": 4 + "version": 5 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", - "sha256": "3145c97b2a0f8a3dbe953d706b20b0db89737e622460e8eb92f562e46316b78d", + "sha256": "82042a004c8f365799c05cb46f2eed28019b3c95b646c53156b2f019ed4dc227", "type": "query", - "version": 103 + "version": 104 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "be3e036bd85d0139f9025316971ebdafff2b115de3d7e46ecf4a12fc2b17fb34", - "type": "eql", - "version": 110 - } - }, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "cabb2f1ee545a8afab4bdfae8d8fbb983de8802e1eaec837f32286aad16a00e2", + "sha256": "8f3637bf0febf4ecf16e25e1fd99456f0a53e3b8088731ee5d0d0983b77f9fa4", "type": "eql", - "version": 210 + "version": 211 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "71df05db291794ae655d563c9f6cc812bb3c8ebd1f3b076fb3103cc1a9af152b", - "type": "eql", - "version": 10 - } - }, "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "edb551d4e6634b6ecd115cc56d888b82abb68d7b87cc04db6f15ca884e5b3c91", + "sha256": "530ec32c26086a48a3b167fac750f221f891b1f1f4b49db52208b9f3ff05f1f2", "type": "eql", - "version": 110 + "version": 111 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 310, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", "type": "threshold", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", - "type": "threshold", - "version": 313 } }, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "0f1797f4458f41926c4fb9920e9bad30476efd48173d83db37c845ac553c2e1a", + "sha256": "6e3e41c82389d772556a2a178b933d4cdff82e9bfe42283e9f1ae3f5f2a1ff7f", "type": "threshold", - "version": 413 + "version": 414 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "6147022642131c87ac6702fa482fbae2afa75394591d2a12545a08d85336f5f2", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "afd239148a789428e9afc33cc2ed4df601459622d6b114f719be62ef217f425a", + "sha256": "7eec11f39785b3ac03e6d5bcd9632b6782226fbf7f23f36d696c9eb456216534", "type": "eql", - "version": 107 + "version": 108 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -13712,310 +7939,169 @@ }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", - "sha256": "55c15bc0ab3e65a9e0dcb4e9babf915de29b34b26b842fe6ad70c153dbc50212", + "sha256": "83fedbbdfcf4592eddd94a5d936d244ead52098cae9c7a3bf8ca0fc11d67d74b", "type": "query", - "version": 103 + "version": 104 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS Route Table Created", - "sha256": "c76bc6e2331f0b9bbf3d8f05a6f363c267e1509a793f6949082fc196e12f1fc6", + "sha256": "d16ebea3af139abc576479f31d634e6f56c0226ed2e34fa6ddad342c3d5838ef", "type": "query", - "version": 208 + "version": 209 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", - "sha256": "7b5a2e8745804344d0c558af38ae871fb0c48a51a92c943f98830876bce353b4", + "sha256": "554d5defaab6dc8c8c458bc10c8a4e290370d6c9fca7cacf1b4fb2ab3b590265", "type": "query", - "version": 207 + "version": 208 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Connection to External Network via Telnet", - "sha256": "28c7ce83de51514d2b297b6590e71038a20120a59fd3f1b8f1693e98dc5c1d7d", - "type": "eql", - "version": 108 - } - }, "rule_name": "Connection to External Network via Telnet", - "sha256": "9c4cb74b1de6b291bdd95cef6e4dc1db2fc043af96969f7a09811263b9866c96", + "sha256": "68752d6f8a27c36dccc1293bdce1bbf7a32d59b77108cf2d69a41178b0eac77a", "type": "eql", - "version": 209 + "version": 210 }, "e1db8899-97c1-4851-8993-3a3265353601": { "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", - "sha256": "79e7d8b6c91ff85bfe18be26bfd2bbe3de8d62a447c19e86c2250d6f10e25dd6", + "sha256": "5a371e71a9b488124d05e63a91f0dff222eb265f7a8fa1d38ae40440531480bf", "type": "machine_learning", - "version": 5 + "version": 6 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "2e1ea018087510cd48cb9978f295dfc7ae3df5e33ae6087605fe0c171ee6f7af", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "b5f28770a0cb6cc57839bec21e0d78f890b72c023a9f2a1f56329aa86d0bdcf6", + "sha256": "c06b00e0148c664ffbe90af42685fc3808597c009d4d5cb267d43cd9654ea783", "type": "eql", - "version": 108 + "version": 109 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948", + "sha256": "b747d127de957cee57f1f89e40e8e048afce3f057baf95d733f590205eb24512", "type": "machine_learning", - "version": 105 + "version": 106 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "aceeffb1d2d30da61a5c975b4c978c1a8dd0687ddac7214c80ae21c9067eadfc", - "type": "query", - "version": 114 - } - }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "ed908ff078c5a2e7569fc9967c30cc040397ed9122a09287031c0a4e5d04e377", + "sha256": "c2ce3c45b246ac1baa015811ebcdb54bf1a9daf4c3349f4aac378bbc7af2cbbd", "type": "query", - "version": 317 + "version": 318 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", - "sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45", + "sha256": "94c926b40a93dc8729cd108cbc5d551b16391d79e31f494a6dd8ac3b91985c4f", "type": "new_terms", - "version": 4 + "version": 5 }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "rule_name": "Suspicious pbpaste High Volume Activity", - "sha256": "2190e84f9e7192e1648c8b1673576f046c4e03d475bb75045c7b9e2e12bae237", + "sha256": "fb7284696c578f3cec014e5b1a12f7aea7aea33251f753a859a6b48e0479c879", "type": "eql", - "version": 2 + "version": 3 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", - "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", + "sha256": "4c55ff0a69ff41b1f88c95d3e01110af11134d1a5cd9e98771ed8e401f60bcbe", "type": "query", - "version": 209 + "version": 210 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "rule_name": "System Network Connections Discovery", - "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", + "sha256": "52d8a7ec6eb615544d954620ce09365820081c38f65505c1e6ab641a585e3f7a", "type": "eql", - "version": 3 + "version": 4 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "59e0f66055f6ca2de75fc83f80895d38b0544cb232a27c17b5ad274d18842db7", - "type": "eql", - "version": 10 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "d5de70a49caf18d246524ba6fa7ffeb2b6243da158fd0f838868f41a72f368d0", - "type": "eql", - "version": 110 - } - }, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "a3074187de9cbb825e91c16b2cf56280f48b19fbb58b6e294f6e007a3ebe7b47", + "sha256": "33982e9e8c18594faa7ffebc2fae992052114cab1b331a7bc80c6ecdd1cd4beb", "type": "eql", - "version": 211 + "version": 212 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff", - "type": "eql", - "version": 112 - } - }, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a02677e7cd9c71dad3cf902389ff330aa11d7e30af8f5186022a8942cbd0a39b", + "sha256": "2e70bd24e7e2462bbefc498fca2c0fdeb22e0e4458ca98bccf2ea13d7477dfc5", "type": "eql", - "version": 212 + "version": 213 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", - "sha256": "44411255b771a99faffe0685c0f5e63977818e21d073d24091ff91bd9aa33b51", + "sha256": "dba30f098f2bfd00be8ffafd120ff63c8495b2efe909875c826852eddbe6ecd2", "type": "query", - "version": 105 + "version": 106 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Potential Data Splitting Detected", - "sha256": "7b1c198e74d0e4f3d7b01f471cbcaf92ef595343883d73f4bcca641970102396", - "type": "eql", - "version": 2 - } - }, "rule_name": "Potential Data Splitting Detected", - "sha256": "4cbc9c690c480e6a0c5458a4e2e93bcf347ef61202570333fb7b66342ba93b58", + "sha256": "148d6ab8d60cbdd98c4d4f554596945713e5b91683c4bcfbfd6dfa5b55ee6b6d", "type": "eql", - "version": 103 + "version": 104 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "820ccc16d8a4a8f7fc46cc17069ec359a736b3d3803d156ed511f05a771b7416", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "a8cf4ae254ee226a844438801018251c0ed156dc36375ea7377e33b67efc830d", - "type": "eql", - "version": 213 - } - }, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "02f5e8471f2ec0c5b618a104a190faf75c17cbac5c9d84ac619dd6dbc1ceaee5", + "sha256": "8aa1de8df549e67e79bf31cfb452675c3318c91847ab584b0eda2ffcfcf32af5", "type": "eql", - "version": 314 + "version": 315 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "f2d736a544e71eb0be5118b7e11cc5ca78ef900a8f8d7225e8c0b03ad08c6587", + "sha256": "9d41ed59f3be5a9cba2a43308015da0c4613225ff148ec052e8ef5f782554ee7", "type": "query", - "version": 207 + "version": 208 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "6b3dadd40aa120848fae2bf405a3e564a4f8f1f135f3e43273c9a5990cce5592", + "sha256": "6c528e2eaa2548c187927e68a1378a8ae0983ad6786b4c4ea83f5f2791f614ea", "type": "query", - "version": 104 + "version": 105 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "15425280f466c2729b02c0af122c6c595b30165cd51c4f683fee546070d396a0", - "type": "eql", - "version": 108 - } - }, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "151650631c31a43c201b4eaea3749b4f13790dd576c4420057b75b9cd51c740b", + "sha256": "dbbdeb7ac1e711bf00274c964639594933e1ce5924de179e7882c488edbfe152", "type": "eql", - "version": 208 + "version": 209 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "3d6b19ea3b397ac9a3e1d4779f0bfbbbe891a2b9352cc8331b3d1b21b3492f86", - "type": "eql", - "version": 115 - } - }, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "465ac78f6958f74fff4f46a3ff16e69a49b534ccb7b037fa26cd2f352bd13690", + "sha256": "58b1d84b309af8166c6ede9962ff74a03ffdaf9ead2362035ba25a08429f44fb", "type": "eql", - "version": 216 + "version": 217 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "9041b77e8259e34d407916d77afca09bc12083780a68fa76b3ab0f545ec0a85b", - "type": "new_terms", - "version": 7 - } - }, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "7f8cbe7c809f5f6439380cc95e39d43499010dcce8d9d9e5c86366cd832ca302", + "sha256": "9676cbf32057970b5e7a090bc2ca6c4dd6acda35d010009bb17e480d1df4070e", "type": "new_terms", - "version": 107 + "version": 108 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "e7a1afdd3aed5b8990f25c5c3ebc89a3d4e1911e68296667f6b6e4cc13e21407", + "sha256": "ec4d4b49bb0557f30bd5406a763042ca5ca13027e3238d6f8ad289d21b9bb6f1", "type": "query", - "version": 411 + "version": 412 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "5c7d57bc4534a2a0e0954dc8aac857d465f5fe162da03efd1c900a9ac9680bcf", - "type": "eql", - "version": 108 - } - }, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "a46f14f105c573fc3663af37227e949ac9d8ff5771cfe823163a5b5a839f60ba", + "sha256": "118acd90df3154153bf8557826919eab96f0fac35675eef1ec9142c8b40514d7", "type": "eql", - "version": 208 + "version": 209 }, - "e514d8cd-ed15-4011-84e2-d15147e059f1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "e4f8a8d92eb2a30728e395c24a0e1fefe6b75222d110fcf1b87cd80b2dccc30a", - "type": "query", - "version": 114 - } - }, + "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "f7c403156a8b86200d6bd124b68887764d5362fc6b53b8468bccd221b4d9fe55", + "sha256": "a666e662ecead900200096c997feda81c48e650b4b6929fecf12819e17aa6d4a", "type": "eql", - "version": 215 + "version": 216 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "c208e0210c900747a4eaa68c93e32df981d3e2f5bb72a17177582c3b6ea60501", + "sha256": "789d56eb67930d1e7ce1cc61bcd47f0ed36b4fff864e852b75efe0fa42991b2f", "type": "query", - "version": 206 + "version": 207 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -14025,295 +8111,189 @@ }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", - "sha256": "8893356dd5ca661718d8f5c32e3d5b4e2e31ced5866bad1aac12f2ae4b1837b8", + "sha256": "8c1053ff5fdfa8b8a4bb84a119023a812d15b37542c1a627ffa0600fa43f6beb", "type": "query", - "version": 105 + "version": 106 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", - "sha256": "abc854ad84c4df75f33b8a3ec0b322047c931d738de30da1996883afbdd7b799", + "sha256": "8c5a6d2e755c84d286e20429144a010c9dd5bb6d6d3c3b51006d595342506d53", "type": "query", - "version": 108 + "version": 109 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Possible Okta DoS Attack", "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Possible Okta DoS Attack", - "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", - "type": "query", - "version": 310 } }, "rule_name": "Possible Okta DoS Attack", - "sha256": "d31797a2a9ebd8114c915f01f1b7222689f61769135d5406738283834a175f72", + "sha256": "12284166256e64b7c01e39b512e688f68f637a8fb0b26b266d2652d2e2c22fd5", "type": "query", - "version": 410 + "version": 411 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "021c60ecf962a5bbddbcccf61190972c6aedc8a3522201413fff29dce8e8c16f", + "sha256": "7f6c1610e97359d0ef8f39a95dec381fee893c0087cc0055732d40ca080ce765", "type": "eql", - "version": 109 + "version": 110 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "a33b86d48c3d3d62db7a1fa07ff45e3dd2ec92fa332099989635eeb934db5345", + "sha256": "cfbb66f9f0f827ab92081dfd22c10a939925dbffa01dd36a5e36d654547a18d0", "type": "query", - "version": 105 + "version": 106 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", - "sha256": "27987be0e2d175b6af6648f0f13ae6c921ecc1ef5198b7ec704a9e12b91cb3cf", + "sha256": "04d7360e6bde8541703c0b167175745f892ada5db0d307dce3f8f75b1f97e452", "type": "eql", - "version": 4 + "version": 5 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 206, - "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "8e916c6e5e28236cf4e78bb6c9a7cb8991800d108c6dce8a147b6196ae27b89c", - "type": "eql", - "version": 108 - } - }, "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "745553dd4b4f167afb3f9d8aa2a73cb88e8a9984dbee97b741c011740ea72306", + "sha256": "8af66bdd03c5ba834cd114fc87732b927ba4293781453ea9250576e590fbb9a3", "type": "eql", - "version": 208 + "version": 209 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.15", "previous": { - "8.12": { - "max_allowable_version": 205, - "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "0eb9b50416c959551b3b273ef5326ae8b96145ec4ea717bee0033ea99d133af6", - "type": "eql", - "version": 107 - }, "8.14": { - "max_allowable_version": 305, + "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "123c8d391974a063625df859c1b10d7a95232b0f02f302c5097d70074e697164", "type": "eql", - "version": 207 + "version": 108 } }, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "b11cb97ba4927fbd34141d3a5cc49333cbae82890c27eb7731e165ed71b3cdbc", + "sha256": "09987510e50d659ed83b389230a6a8dbb588e6329186fddc5231fa3674154535", "type": "eql", - "version": 307 + "version": 308 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", - "sha256": "fc6696281aaff38aabf5ef6dfe7b56c731c027f5daa36aa8fa27db356d1836cf", + "sha256": "664e2b796744b9c89cf1599efecac9d8ab2046b29b5707040dbbe537386aa385", "type": "eql", - "version": 2 + "version": 3 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", - "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", + "sha256": "58b8a9367b8203fb99729740505a056d82a055aeb7e8a8ac38ffe6692e2609df", "type": "eql", - "version": 4 + "version": 5 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "0bea98ee6e9ce10eac166784de0d4aeceb2b4e690051357201bb91cffc7e5edb", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "5ff7838c257d23a22ac81dc996fa1bba6e80734971669cbf6c8f5bdfa6314f5f", - "type": "eql", - "version": 102 - } - }, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "8b9fb79800f9757717537734e0e8fd81eb27c77c51f3bea4933b4026af77e360", + "sha256": "814b183eaeebf91847ccec2b4af4cdb9e57309815c606482f8529136a97d30f2", "type": "eql", - "version": 202 + "version": 203 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "ecaad70591f430b71f38353b51514e955299f312f6299c043edbe78296d96c47", - "type": "eql", - "version": 9 - } - }, "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "962391b35148784c37d51d9d75f577a0ae8c9c855443ec35d2e4dfb3c247e942", + "sha256": "9c3e96e69661d63d5b9d68e4ee264073533225ed49ff5998ec805c26b53266de", "type": "eql", - "version": 110 + "version": 111 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", - "sha256": "e56e718a9723a794c9e062425a957d4e952f2a9984792aa9df06ea86c7310dda", + "sha256": "2e08f2c516a61a43bbeb762f08cff51f167568c46646e53ee5e1d81921190fa9", "type": "new_terms", - "version": 208 + "version": 209 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", - "sha256": "918d54c5a6647f2078e33a286ca77359e078e643772831ec0217ef3fc2478d8c", + "sha256": "f324967cec3404ab2656bb12ef820476a31e80139d0bf1742ccb34948513855b", "type": "eql", - "version": 3 + "version": 4 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "e9a897b3d6e54d43b0c0b67f4ddcda48e4a01a450374c5953fbfc9e6a13c0568", - "type": "eql", - "version": 114 - } - }, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "88531315d5644d775abd814a7f79203b41a18642843ce25dbd7516e740d6ed2a", + "sha256": "9ae6927d3848fb08d6b9486923291fe8fccc0926069c6af97ba59af4a95fc7f8", "type": "eql", - "version": 215 + "version": 216 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Installation of Security Support Provider", - "sha256": "b539da6b7c1b1227bdb42936daceee9540ba7d0f3605ee4daa85bd0c836ac05a", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Installation of Security Support Provider", - "sha256": "4921dd59a49f0857c4a5a11360976efc71f083994125f28706e6071dc19c7473", - "type": "eql", - "version": 210 - } - }, "rule_name": "Installation of Security Support Provider", - "sha256": "d3e972fca563427e3d76bb4395afc5f71c455501294696f9dc6df982b1d28abe", + "sha256": "08778ef25240581721f6522164af5354c5b8e0feb536b6056f5e613b425ba7f5", "type": "eql", - "version": 310 + "version": 311 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "e8fd6440c6d6d88986539c259693d1ee14c53bbebd9bce21eab23ced642d5c02", - "type": "eql", - "version": 8 - } - }, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "a50076fcb40d588e056f081e1168588950939d6c95a97f2facfed56882ce6f9e", + "sha256": "240192ef0bea37fc30db7b5ac9eb621b52e7692a21bbd108ab950b77e69d525b", "type": "eql", - "version": 108 + "version": 109 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "a666b794f171a1a2c008b39794d12cb837d0fee82e293f8dc6601f749a723645", + "sha256": "78abc9a2eed7a19b2d6ebc1bc05238321e4dba4e11da79bacb565b479cc4e386", "type": "eql", - "version": 3 + "version": 4 + }, + "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { + "rule_name": "AWS DynamoDB Table Exported to S3", + "sha256": "2d6f19cd200dee46a2702d73743b4ddebe21c3af769273024bb586d69e114489", + "type": "new_terms", + "version": 2 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "b54a9721e854b951bcffd517564dba55d3d9f5a1b13ff4bc738ee5aa7e4f9bc5", + "sha256": "564659b48deefbcf8ec40d29e3fedc5834cddfec5e82e40ac76d82f3885ddc3e", "type": "new_terms", - "version": 108 + "version": 109 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 310, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", "type": "threshold", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", - "type": "threshold", - "version": 313 } }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "18719e990037ed4bcedb7040cb575b1b244fdea008bf902c36de0c0dc87262d9", + "sha256": "923880a5e8c4d831cea799c355f62d9dc8f91e51c8179f3d757929b136581f11", "type": "threshold", - "version": 413 + "version": 414 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", - "sha256": "0cc0882f3f4079767583e56fd8ac76f94fe773a3ad47b80a5c7ef1f07e5afcd2", + "sha256": "3108c7939b46b2c24d8e8329dcc507d097bf974d63f37e757e8bcbd60db15a82", "type": "query", - "version": 207 + "version": 208 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "b7a20dbebcf0f6ecd941a69b135191989886cb45781f0e23444e523bfaa03208", + "sha256": "8f10b2a9adaf97ec1bc98f62ffa1451ae303e28e4e389e39f9a462a27e189318", "type": "machine_learning", - "version": 5 + "version": 6 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "6ef104d85ec9575226338908f304d5def68a7412883399913f6bb68378d6decb", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "5f4f414a3ae8185a194ee698b33f60372d7733ed66e23b8ef56fe4c06edb3dbc", - "type": "eql", - "version": 212 - } - }, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "2ec2b40b6d719512b8aedec3c65efa2e1ce6b38aa2dfb387edf32b43516c9421", + "sha256": "42127b508b678cf780488971af93d4fd690ab6c5880568df13b1d408a9d9c1b8", "type": "eql", - "version": 312 + "version": 313 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "5b5c778062c60175f66184a03ec8cc58deaec9c8d47e50b7e62d75b592eb203e", + "sha256": "23e831b3f10fbd14d9101693407a6ce3404b02e7e97d674563a31c8fb16a0c0f", "type": "eql", - "version": 107 + "version": 108 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "rule_name": "Spike in Remote File Transfers", - "sha256": "8d2b4cd0d07e0114cbfc97e7836712efaedb13d7941b49ba32df06344bed130f", + "sha256": "9851656253510ce2fc2c4a7a08bf1ed0c825e9618390b9b89d0f69f923a4032f", "type": "machine_learning", - "version": 5 + "version": 6 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -14323,9 +8303,9 @@ }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", - "sha256": "ca8b561fa907119476109df0f7f86007194ffc80c3b614c4f69522d366f15e92", + "sha256": "f68c7c25601fabddc22a9338198f2264152d3ae7ab6ae0455b7427fd5216c3e1", "type": "query", - "version": 103 + "version": 104 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -14334,76 +8314,46 @@ "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "9305b82ec96b801a1ce3d03306069610691b62051ca30252e654c38b624f7c55", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "263dc5090dd778a47400fbeb93a47512defec5bc3e78d7bdd173ab8dd1c95910", + "sha256": "44bc3a93c7a5f7f6606eb5f9b1f9b8bee2d056f00e5767ba61c13a4c71082c2d", "type": "machine_learning", - "version": 108 + "version": 109 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", + "sha256": "a3a27ddcbee5752715ca4892770bb44b06a5ff20a585a8f29ea3d048cc49675e", "type": "threshold", - "version": 210 + "version": 211 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "fc408da92fc5febf3e95b3e4466fadb5f9c59ff6f98e5b71c5ba830dbebc52f3", + "sha256": "3b98fded30d504c2ac622e68d4d5ea2082157e46544d6037ba65a4904c7face3", "type": "machine_learning", - "version": 105 + "version": 106 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "e564804b6774ca1351834c65234f778427f64a1a8a9c63f54c7bceb478ea41a1", + "sha256": "8b39b977aeb20d1dca078c897b14be9ecf5843c1be80362f589fafea5a30a009", "type": "eql", - "version": 6 + "version": 7 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", - "sha256": "cfe3ec83261ca32ec7fa6c3ec8fe8c6d8b42361b74fc363e99795dcce182badb", + "sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5", "type": "query", - "version": 104 + "version": 105 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "0df8fef46aadb6e55f99fcb160c20a7c50b5b97687a0ae824409284676656051", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "34b8cb6cbafa6c8284ce99c7c6cc95be28e2423a480b5e56d46de73e21ecb72a", + "sha256": "c468778c4333b21155a1daae233d2e16b7ffda86f4d738698ae1cdc5a365323e", "type": "query", - "version": 107 + "version": 108 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", - "type": "query", - "version": 113 - } - }, "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8", + "sha256": "62446d0d38929b8edf499134e3d75f1ab2e2c46f23dd345bfb0455e46500755c", "type": "query", - "version": 213 + "version": 214 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", @@ -14414,94 +8364,33 @@ "eb804972-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Prevented - Elastic Defend", - "sha256": "1800ba797dd4735b90e918df5d02719c09d98850d2bfb0880d9fa80ff8b72f5b", + "sha256": "32389de8f4a3a9b8d96994f93486c9df96b9247ecd2ad1f574b7072d41e9064b", "type": "query", - "version": 3 + "version": 4 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Potential Disabling of SELinux", - "sha256": "68bbdb25d3a0f0d088bd7072fdefec01a701b6549176297cee71b31463d90ffe", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential Disabling of SELinux", - "sha256": "e7211f890d92f3a7d930cfd4bc9d80fb4376b20adbbb602dd24721075ee45090", + "sha256": "cd4655d53e4197405af37fc5456d62316e20bcd0d52f5f2000730fc4c7fa77e1", "type": "eql", - "version": 212 + "version": 213 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 411, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "68b70fb7a0759edb5d4057074ce39e0a9d16c36f7e65d6fdcdfb8e6872bfbbc7", - "type": "eql", - "version": 312 - } - }, "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "b5e1dca924f5d9acc2bbfe1082785ef9458b056c40140e162d7526060d6bdbdb", + "sha256": "395d279ec90b09e6498963fb15ac93a8e02e69ac2d5db03cdaf059d2ef813924", "type": "eql", - "version": 412 + "version": 413 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "3195012ac10b6acb9ebb4755275fdac561d8f506d8cef35b17fd47c2ab509787", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "ab59351227fd6484a4b159f3a14973dda7045b27ac198fe102586b190e574639", - "type": "eql", - "version": 212 - } - }, "rule_name": "IIS HTTP Logging Disabled", - "sha256": "1a2121317ae7d1b300b92ea3307889c9851bd10a65e714b8f37ba6fbf52f179f", + "sha256": "b6e994e9cd4797cfe19d97fb226ea3f364300befe3165d3d6d447d04c79e5194", "type": "eql", - "version": 313 + "version": 314 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "076b7a80f89f6a6f1a3081a38ce953a5acf2175da6922f04cbe0f6d6a55b0356", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "86c59576f4ae4cad721a7fd636edf4192fd6dac90a899e71bc8c3d9ebb79154b", - "type": "eql", - "version": 215 - } - }, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "789d46c9447286758f21fbcf2f6f2d2c30de369ac38a78bbbd0d8a8518e422aa", + "sha256": "1e0d8c9798180cfb6d6ca288ee27f77b0a1e754626962ae4668240dc20ec3dff", "type": "eql", - "version": 315 + "version": 316 }, "ec604672-bed9-43e1-8871-cf591c052550": { "rule_name": "Deprecated - File Made Executable via Chmod Inside A Container", @@ -14511,159 +8400,101 @@ }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "4572e35abc9f3fb1f7be34775ed498cbbbca8890182cba8ca5beff3a53bf673f", + "sha256": "02f17712df688519b9a6c897ce5c4e4424fbb5aa0d5d13fe44b4e62b864d49d1", "type": "query", - "version": 207 + "version": 208 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "b69c69c1bbacce025e21987b18df13452767d8102331304cd46d1f177fb8a602", + "sha256": "47e4958d50e93ed6778740ecfcf89bd396029c2690a9bf011d84767a7468ab0b", "type": "eql", - "version": 4 + "version": 5 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", - "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", + "sha256": "26eb81d65b0052deb8fd6ae74d37f43fedc970ff9c1e5317e15e43470b1cd0e0", "type": "eql", - "version": 2 + "version": 3 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "35c7505a4a7e2503e09a6d55f986977e180f79e72dfde6b46e17c48fff3342e3", + "sha256": "a2827f578cbd78913f8094870ea1f47520a28dcf7c9b73d68a250b0cc0e72993", "type": "query", - "version": 207 + "version": 208 }, "ed3fedc3-dd10-45a5-a485-34a8b48cea46": { "rule_name": "Unusual Remote File Creation", - "sha256": "25b7a11580eaa10f455ac93b195afb23108822c1ca8665f2f28fd2816ef1edf6", + "sha256": "44572f2362fa5d16dc5a5facad9a20fa1690c0d70c0ef5117bbc5f72bdd6355e", "type": "new_terms", - "version": 1 + "version": 2 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "31edfa8b99be2305a6bb1447799c69cf2f60e5a834ce4b064a4b4665bea80dd1", + "sha256": "11bc690130eb258d4981c113a2b0aa9423075397f2b7524177d58c05525885a0", "type": "query", - "version": 103 + "version": 104 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "AdFind Command Activity", - "sha256": "d60af1f28f9f81685a9aa0c7a36a0cb1c35ba51859da6d4ebddbc8bb02ac9907", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "AdFind Command Activity", - "sha256": "48f50e30ab0904b32f28ab124297e93c7d20c9f3b7601a91abe9ee1f4e5fcb08", - "type": "eql", - "version": 214 - } - }, "rule_name": "AdFind Command Activity", - "sha256": "b05a29a436ac542b88bb1e6c8d05c378015f4988803a39a6e5f4c0be47607513", + "sha256": "e3342025886a8e9918d18e9751c9b684b1a5fff7ef36f6620ef24fa7e5dcd927", "type": "eql", - "version": 315 + "version": 316 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "f254d125f5da752be3671f52f44af3671f6730739ac5e5fe785f8bd0f831b628", + "sha256": "7293a963f88760ced8b6ac3254e3f873ac11ecb6772d9e3eddfc990c37999a27", "type": "query", - "version": 411 + "version": 412 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "58dd0e1e34abe8443249ad67198996b183471f4fc2f883d57058fd29a584325c", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "8cd9d18fd66c29f88fb14bbae4dfefffb29f97c2bf89c097c6f6cf10e24125b0", - "type": "eql", - "version": 215 - } - }, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "36fe3eb7700258bcd9214dcd215ae71c9a1def542f197f5e822450a297d327b9", + "sha256": "57c89a202d59826b5d10267c4a7a74d3163450526be380ce825cee705fcc591b", "type": "eql", - "version": 316 + "version": 317 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", - "sha256": "5147bc8232ad7a92a84e036bdd81d4fcbcc9ce09fe2b0a2697ae01769ec50e20", + "sha256": "0df96960039330d93aff22d2804e6907345c7a48b9e8ece5549e29c1fb043ab3", "type": "eql", - "version": 7 + "version": 8 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 205, "rule_name": "Okta FastPass Phishing Detection", "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", "type": "query", "version": 107 - }, - "8.14": { - "max_allowable_version": 306, - "rule_name": "Okta FastPass Phishing Detection", - "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", - "type": "query", - "version": 208 } }, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "7ff673016488bafc9ac4a344918957eda1629b68b0dd51bdc773ce2f9ace05a3", + "sha256": "5fc77a932c49418d0045771eafe0e2e576ca9e4b14e91932f739b0faf338ace5", "type": "query", - "version": 308 + "version": 309 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Unusual Print Spooler Child Process", - "sha256": "5bc2e722e6fb7b61ce923befd4ce4b3a3d8fdacf1290dba7ec5ea911760c53e8", - "type": "eql", - "version": 111 - } - }, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "e9bd712f3f743bd51f11e419a9ab89603ed0cf358d4fc912e877907e172a2080", + "sha256": "2d2e0f6240ae38f7e0b69ef6ad7bafd1d7e62832d4f2fe56e1add1e7821d3ecf", "type": "eql", - "version": 211 + "version": 212 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", - "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", + "sha256": "04fec0a096749a95e17bd8ce3f6568b2511508263bbfb0721b15ad6d2442d450", "type": "eql", - "version": 2 + "version": 3 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", @@ -14673,41 +8504,21 @@ }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "0a31cd84388698181bb0e4d15e98b40bea0da0c9be8c956e27580d00780e3893", + "sha256": "d848b5a89ce014c15a146a22d220f395c2bb9f3e8412a1503ee91eefce9eaf79", "type": "eql", - "version": 109 + "version": 110 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "BPF filter applied using TC", - "sha256": "446f19bb2ea5d80c1e18160601ba2b38ea8e81328974575d0c5369662901dfac", - "type": "eql", - "version": 109 - } - }, - "rule_name": "BPF filter applied using TC", - "sha256": "7ada39c6d2903cc362c1ded034828a6b929954050f650fa4d3d166b93f3ec78c", - "type": "eql", - "version": 211 - }, - "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "f4ee5791bd579b8b6592dbca0af0c3eae7553a3f4d087397f873f3621c85d929", - "type": "eql", - "version": 8 - } - }, + "rule_name": "BPF filter applied using TC", + "sha256": "30fe03333e35e38dd5d69d8669503dc6f9ed9d29cce312a4fb92f25344333167", + "type": "eql", + "version": 212 + }, + "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "5270c503b5846ad6b35fd79100b8270b2b26c8f6968c90d112b8f672cfe55507", + "sha256": "d05c810f55821a20d818adf7a89c3bd8b3b1a4ac214973fc7e936e1b1c046312", "type": "eql", - "version": 109 + "version": 110 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File", @@ -14716,283 +8527,171 @@ "version": 3 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Whoami Process Activity", - "sha256": "b020b8f8487dff043ed4f8e013dc6aee3af6d55ecfbd53cb47b9537f140e9427", - "type": "eql", - "version": 114 - } - }, "rule_name": "Whoami Process Activity", - "sha256": "311d843fda11fcbf852fdb41fc87dd280481e8bd3d0b7319527aba5059fe4954", + "sha256": "3348b3b7bb5f0a926e86c210c8fde190635cf95049710e10ac6c65948844e099", "type": "eql", - "version": 214 + "version": 215 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "deb097d91aed42823bd3a3204774168f890ba2423ac4e4253b9d060f32f50e79", + "sha256": "778230a26def2a0e67e96f7595a9178850858357a21ca5b48469576b483692e9", "type": "machine_learning", - "version": 5 + "version": 6 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "23beebafef0bf295f6aaf5f99044dc15f8db23dfc7a6f68d46c1cb7a9416c43b", - "type": "eql", - "version": 109 - } - }, "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "6f3bb7099a9a769fb898a67560799db56ad58c5624c016b1d46a98b1bd12e651", + "sha256": "793f90dcfcda045be8b8e57c76769b6cc6a67cd9b60f24692a41d6a1b46f09d0", "type": "eql", - "version": 209 + "version": 210 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", - "sha256": "2d7643f5258ea00499f6a724d37680b18ea9e51cff76a508b397813d06cc2023", + "sha256": "f4c82742914d3de3e48736b687e0456d3d69c4995b866f42433893ad855a7d50", "type": "eql", - "version": 109 + "version": 110 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", - "type": "query", - "version": 310 } }, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "7dec7b69a9ae716233a2cc4ee0bf5ce3e8f108b425d0be073ef6d211e7eaeb3a", + "sha256": "6917f95f482828c07c75c4e7d6f72fb962c87be2f1fd72c040cbe80975b8db57", "type": "query", - "version": 410 + "version": 411 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", - "sha256": "66dc553f0e5d998d6287bc5b3bb0efe2b016816411c35e13834d2fa558a64ad2", + "sha256": "24c12ca485f16a98dbfc7c5b6106b7402942c22fba4d239c668a2f5538b406c9", "type": "eql", - "version": 111 + "version": 112 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "dce40c891055fa59c868c0409223dc95efa62252fab387bc182bf9ad3f30eb55", + "sha256": "4e6e449e7f6a73a48b024a0af1260491edd09435a3a83c8bbd642d4ff3483447", "type": "query", - "version": 103 + "version": 104 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "ddd5f8f0b1dbde6fb7d9d9802b9190fa54d38d94c423afe4c859794d73da4720", + "sha256": "41e7d0dc2f138e4b3cefed3d2284d24efc6c860945ed14ac8e2bfd9b7744fffa", "type": "query", - "version": 107 + "version": 108 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "c678c2e4d480d9276b6bc7967e6eb21e4cac673058c59d4b70b8be8b00bbf699", - "type": "eql", - "version": 8 - } - }, "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "3e3a90a47139a3dc0d1c763351373920dee8e161a176b916ccca2e6be16dfed7", + "sha256": "fe32158eb449f11f2206d9957876fadd3b363b614fd6269ae507b611aaeab0e1", "type": "eql", - "version": 109 + "version": 110 }, "f18a474c-3632-427f-bcf5-363c994309ee": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Process Capability Set via setcap Utility", - "sha256": "8104467acd6f82c9b69239d6bebc8750dcce6da3f4f4efbad4a57197063174ba", - "type": "eql", - "version": 2 - } - }, "rule_name": "Process Capability Set via setcap Utility", - "sha256": "c7c1780ea2c3381899f8df2aca24d636619832fa7d0cc4a7637a1b519513a2b5", + "sha256": "dab005eb675c77c6ed9e4baaf41dfe9836c839905f24763154a739a9dd05b029", "type": "eql", - "version": 102 + "version": 103 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", - "sha256": "53a99b49697dcd944871a7610cafdbf834659d68f5631056a35cc52f1c8e1aab", + "sha256": "1591bdd1b5db5f19c511f74842217e37302a1d4f6ca0ff1d0dd525fca7d06e62", "type": "query", - "version": 4 + "version": 5 }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "684a674daf52a0659d98f70c6854676100390d6c0cc41568e4450ec8568d1115", + "sha256": "b8fea4ec10d167e43ccb1c206bc2a38d1f10729536b1bbd9b7aba0a4c1244b1f", "type": "eql", - "version": 3 + "version": 4 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 104, - "rule_name": "Service Path Modification", - "sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599", - "type": "eql", - "version": 5 - } - }, "rule_name": "Service Path Modification", - "sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091", + "sha256": "292d4aa8edd0caeec1e29fa8665f46ff2793206064a100df1cdcdb5a5b6c51c6", "type": "eql", - "version": 105 + "version": 106 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "789001d17851c913e16d3c0cc68a245041a71e317aee771f954879787be2e107", + "sha256": "4e0c75028fad0969d746242d8706e48f1fa9de31cbc176d524acc2800af48222", "type": "eql", - "version": 110 + "version": 111 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "d34b536f30334984723914ab4d44bef45a48785b1ce33846ea6fa8169f40a9bf", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "6779913c9f6aa81caa57d89b94072b01b0638454d4faaa9433f37e902cd65b5a", + "sha256": "2151659f71f600bfab423a33bdbe32e9e6e2ff0d58f3b392afd024f36d4034be", "type": "eql", - "version": 211 + "version": 212 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Detected - Elastic Defend", - "sha256": "6e2ffd6be5eec401665da9f328ea418437bc87ae39325fbda96eb3fefbeac4ac", + "sha256": "568e1041f44361fecee31f7f90400410dea37ac50827c99845fd265d704235bb", "type": "query", - "version": 3 + "version": 4 }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { - "min_stack_version": "8.13", "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", "sha256": "42cba0422e9398684922e14a9f8bcb52726504673ccd9369a94911561994ab23", "type": "esql", "version": 2 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "SIP Provider Modification", - "sha256": "3171aedb786a6c4346ca2d6e875c736ea14d23e12331aeea3c994e5dca963238", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "SIP Provider Modification", - "sha256": "29662765828508b5d2ddf5905237089fde83513f4c34bd44c93f0e27849d77c3", - "type": "eql", - "version": 211 - } - }, "rule_name": "SIP Provider Modification", - "sha256": "e0ac3c29d4a3e05055331a8c99eae6dec675fdf4637d6585c80557b3dc879681", + "sha256": "d2f3e8208ecaff994acdc3a22be99eb3f6a4cbc504c08b35cfcdf358cd4091b7", "type": "eql", - "version": 311 + "version": 312 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "f8cbd6a379d828f24d80c53ac9f923bccfcf5f6db7532cf8567c55c09446dae2", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "c0268c1e96cb8a7dfec0cb7f803ec42df015cf80a71719b1a544cc4285ed0087", - "type": "eql", - "version": 212 - } - }, "rule_name": "LSASS Memory Dump Creation", - "sha256": "accf15ffd7f736c713d38e6f024889430d4031685a6588588249bb092332d720", + "sha256": "951f2e1673e102463093c2ff30c5e50e8c86c86165460ddcdb5f6bfb1b9d2acd", "type": "eql", - "version": 312 + "version": 313 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "AWS RDS Instance Creation", - "sha256": "3bb082fe7f035d7f0edb310d42459b011a6ecb97c9b46e008e1c1434840e95a9", + "sha256": "ddbbec610db6a283c1d61228059725f34a19d4b41ba75691104de48cf92f873f", "type": "query", - "version": 207 + "version": 208 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "rule_name": "Google Workspace Object Copied to External Drive with App Consent", - "sha256": "68842c4cfacadb832e1f45c3c1a25ccad99d8f7ce2309f64689ad93997eb9216", + "sha256": "c335728c999783c3fb1640836780d8784caf524535b78b35a896e0573e194ea4", "type": "eql", - "version": 8 + "version": 9 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "84a652c9dcb5ab611cd8888bcb7def8d9e6ba1a10712c28017fe35cceb6d07de", + "sha256": "ba93e280bf515c2416bd93583536626ae8456a25e0c828cd6aaff58c4ccc2cb0", "type": "query", - "version": 6 + "version": 7 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "WMI Incoming Lateral Movement", - "sha256": "bf322fd08b8f2bfd47228ee56470b9301a500aa181f75f9594d50ed79033e3a5", - "type": "eql", - "version": 111 - } - }, "rule_name": "WMI Incoming Lateral Movement", - "sha256": "0362f87f30104a3705ec25a5424fbfe8a39cde9dc0337cda33dfc8426b0522bb", + "sha256": "9f7ee74673817cc624f9e5c0d29379b9b188c815005dd839249467c9432d5a5d", "type": "eql", - "version": 212 + "version": 213 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "ee7bf6773bfbc573d11e5c0660564ca53d3a9b917ec5f64c87a3b7e9d4b86fa7", + "sha256": "18b9078e04e53665a9e42c20892ae7b343695676e33f9ab44a06568d4c56aa2f", "type": "threshold", - "version": 105 + "version": 106 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", - "sha256": "9ed35a351e57a72bfce5b7738b0f267bbd83cf55d98a20e89c2437107a1a6c21", + "sha256": "909b708c3c5fe5419060f8cc3f4c608c5bedc609274b7e331c3f35ec45e53142", "type": "eql", - "version": 5 + "version": 6 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", - "sha256": "9d6d2a6025d89d9936130285a084379d1d31b9e3568db970acc29d05c1c6a7fb", + "sha256": "21aefb47a6ff7d327c39e477956363c1d06d4a604575c934c1fb0a5848589868", "type": "new_terms", - "version": 1 + "version": 2 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -15001,72 +8700,42 @@ "version": 8 }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { - "min_stack_version": "8.14", "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "ee6f8d0f53cd74d79393a04a0a83fb95d10b020160092e227b0db1f484289f16", + "sha256": "4784c8cfcfdd3d71afe46f06f3fefa52ed4a7e093dfdf5164a135a4998025ab2", "type": "eql", - "version": 3 + "version": 4 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "997e81e732075c8530c62edcc3e0dbacfdc2a918bb79517ee27cc287a6c74b07", + "sha256": "6ea1cb9f3cf028cb815f82f3d33816c5615e61740687f8daa0f6242e0fd1d22b", "type": "eql", - "version": 8 + "version": 9 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "d8fa297a02bd05755728ee6202070fef2ebc8f2f5ae3d46617d78034d80e24bd", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "111139bb2a9a56c179012f91b0e217c614e1527fc3eb2a4b713943763e5a7a40", - "type": "eql", - "version": 209 - } - }, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "67cc9ea0dae5af83aac83f80454998408a24eeb1e521ae441963e51278f54b7a", + "sha256": "323f831275152839d4f63d0c24588e0258995447e74ae531d58005d1f7d3d08f", "type": "eql", - "version": 309 + "version": 310 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", - "sha256": "6f77b4339b6982feae60ae38491e22c8bf8931801527efe93368ab2d675017c6", + "sha256": "0810cb58b59f4b62e59c00ba0b9d77a59176f6eda28c68246e58e8bf44fb123c", "type": "eql", - "version": 4 + "version": 5 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 212, - "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "9c9490d04847aa87bb7ecf37a56631b96d3e56c1a3fb00b8c6b2fc5739161f46", - "type": "query", - "version": 114 - } - }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "bec893fc82f770985073646d905e8d123ff1994906b7c611522639f92f1361cb", + "sha256": "52d2fe52f3a61720cb44331a7f25c02c0738d93fc4c7e5e4120c122aee4f9a97", "type": "query", - "version": 215 + "version": 216 }, "f4b857b3-faef-430d-b420-90be48647f00": { - "min_stack_version": "8.13", "rule_name": "OpenSSL Password Hash Generation", - "sha256": "04b4c9ecf43e0acf3fa6b298371accc63a200e07eb118a4d5edc9430aaca263a", + "sha256": "7dcd3d966aee09603447a9cbc9c2b71946b618905723f824015b77920d2ba856", "type": "eql", - "version": 2 + "version": 3 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { - "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", "sha256": "67cfc341651734d5dc809fca49d66ce14a80f2ba8535da9515f18242adfca0cc", "type": "esql", @@ -15074,9 +8743,9 @@ }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", - "sha256": "aacfd52ed0aee2049e2ec00c2475153a185d83bbdd407232e9012a142292ac95", + "sha256": "edb857bc70241122fedaa1996b651a7a9ba688d421972e539c625617eb9186d9", "type": "new_terms", - "version": 3 + "version": 4 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -15086,32 +8755,15 @@ }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "1049a0ba43faccfc6c8219d7fbf5b81cd5c21f97a63be1f334d9b8b883e8d73a", + "sha256": "34fc3925d1151fda722c2c035158838e8872f6d8a1466be160953b722a68c4bc", "type": "eql", - "version": 8 + "version": 9 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Windows Script Executing PowerShell", - "sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Windows Script Executing PowerShell", - "sha256": "7d014986e6735e5f5b90c0790e404e69d4e5d64634f6935fb10a34ec72877e05", - "type": "eql", - "version": 212 - } - }, "rule_name": "Windows Script Executing PowerShell", - "sha256": "70e912c507ffd352948a3b3477a1ad50a61cbbd2effc94c80291e684c151ed1c", + "sha256": "4378ee222919efba7427a577bda294aa0442bf9d057e250b39badf4e4ce132ed", "type": "eql", - "version": 312 + "version": 313 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", @@ -15120,185 +8772,94 @@ "version": 4 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 107, - "rule_name": "Rare SMB Connection to the Internet", - "sha256": "1a52a9efcabc5597110829afe735c6831cc9b2e64ed6169e8e81459e8669c83c", - "type": "new_terms", - "version": 9 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Rare SMB Connection to the Internet", - "sha256": "0002a051fa57648d20e54eaded6c44a1f3bf1c307e7e8ec68200ff562fd22790", - "type": "new_terms", - "version": 109 - } - }, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "b913881e92e1a38bf6737390fd81a1138292cbd48aa0fb8c2d3c85957650ad7a", + "sha256": "ae9457eb32db9a0db1ed90111e5b299471da915c82b32888e3f633e7bb0e700e", "type": "new_terms", - "version": 209 + "version": 210 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "7985f5aefba2ea64d65352cb9a8eafeb6764e30498ccb6d629242be6c5b979ab", - "type": "query", - "version": 8 - } - }, "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "f743162d208f76da7f2a978f2cb537ce0f8849dfe5a42af3ab46246b6bd8371b", + "sha256": "098b67561c77f0c21c5f210a522714d38ba5c1d9399953b688dc2131d41afdbe", "type": "query", - "version": 108 + "version": 109 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "WMIC Remote Command", - "sha256": "03ff2581fa827afb289f1ed2f6e5aaa30032940c26bdf3b8d440b729539d3e53", - "type": "eql", - "version": 8 - } - }, "rule_name": "WMIC Remote Command", - "sha256": "733c3aee481bf3891f180a572bda3b7c68d7c19d1d7a3989c0def03ae9fe0933", + "sha256": "80869aeaa9ecaa78b06215b22030b3c567e651a63e4742eb9d7430ac8da5dc17", "type": "eql", - "version": 108 + "version": 109 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 105, - "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "3ae5e32591f980bca7b3064fb9a680b9329a75f4ddc4dc888391659a4c1f654f", - "type": "eql", - "version": 7 - } - }, "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "e41e3069e64db02d6742f75d9126315cfeee13e18851f97d1260e4fd6b35d76f", + "sha256": "a4034117152cd8f97a567fb9c3b1044317ac7a928db9810a14c30d65995b5501", "type": "eql", - "version": 108 + "version": 109 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "a3bc6cca188a55aa33021f1b9c7d396bdde78a3350f1c4fabb974a4fcffa5ca4", - "type": "machine_learning", - "version": 8 - } - }, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "b133ffedcacb83e511e320e25d6f4afc9f2d638fa12afbe470fab88a6009d07a", + "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", + "sha256": "5a191ad4b653b38b802827b84ba554eb61833a7aea198cd7e00c19f3bebd2ee7", "type": "machine_learning", - "version": 108 + "version": 109 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", - "sha256": "05d412610d0acf976c64885d739c2519d44630cc8036b7dba0c8533c92385d15", + "sha256": "bf07acc9ac42cff21fa4a5bdbb18b5cf1d2bc9b47b427a1c5331b9ef2d8074e6", "type": "eql", - "version": 8 + "version": 9 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", - "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", + "sha256": "d9f5621f82be94bbf80b69482ac416431c8ab7e4448aaff2c48979576254bc22", "type": "eql", - "version": 3 + "version": 4 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "62eb84c5f2680cf2953c3a642bb4371ea70e676be5e9e9ac2dcf237f4040cb81", - "type": "eql", - "version": 211 - } - }, "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "af1f6d2bf1fa3cfb4d9c71f51f507b819781648a109443ee036b66be24aca5b9", + "sha256": "163f881eaabb32aed0575c3999e5a354e662d3b11845a984033f329d8c453063", "type": "eql", - "version": 312 + "version": 313 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "aa4abbe944c50eb6c464d33d4880bedbb1778ff5139693b5f95e1f81e54a05d4", + "sha256": "dfca3722b9402ca28d36a5ba2d1d4377c310d9461799ab5024314063fc1edc22", "type": "eql", - "version": 3 + "version": 4 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "4b55ce8144feb04c19f2449fa5a4c724ce26861e85a8ff9d63ba91fc24c90ae9", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "37d393c66c6a0a664ed5d4ec5f5497345d8fdbec26f4247d4528d04510eaac3e", - "type": "eql", - "version": 211 - } - }, "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "605f5f70bc621228a60d3f975abc644f00df34913b0b363cc8cec5d226e082c1", + "sha256": "2ea135090bfac64ddec4b4ad76c044f9295ca83fbe6a5e1c740159c43e661692", "type": "eql", - "version": 312 + "version": 313 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "076beef00e93e7c5cea8221f52feed6734107ad9cfb9a62a293d50a066132e1d", + "sha256": "6b0b3d8d5ab2b21ef1d01687fd7be5b31877f1c9a2da47182cfb0b9aacf54508", "type": "query", - "version": 107 + "version": 108 }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", - "sha256": "de4cb537409466e76a7f865cb93e0842a6fc8f04b9402caaa3b8f56928916711", + "sha256": "d8d5756ec5102a1f1585ee55ebc190c8622cbc2ea6fb78aa08c63ca978c50393", "type": "new_terms", - "version": 2 + "version": 3 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "rule_name": "System Hosts File Access", - "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", + "sha256": "dcabc1ccf456b619be16c7d4f319368e1a271b289411b3ae1e420c528ce1ee7c", "type": "eql", - "version": 3 + "version": 4 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Azure Service Principal Credentials Added", - "sha256": "901f5b0b8cf2e223bd55f2b15863c0285e7df7dbae24b8ae528572bd52df13a6", + "sha256": "7219f77cd9848f3f4062404a148267380a546a5464968f4f428716f29cdfdbd4", "type": "query", - "version": 103 + "version": 104 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", + "sha256": "96c9e0f79001a3dcbc66f897b1e83dc22f8ae08600ffdcf93245f019d5f13059", "type": "query", - "version": 209 + "version": 210 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container", @@ -15308,344 +8869,171 @@ }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", - "sha256": "135091eba79744ed7a55ef7e0825fb4a5189f443b6940d9f322b755d28b98d0f", + "sha256": "f45e24f7935b01886852f803af0a671162023bec83923790d3c34370c2f913f1", "type": "new_terms", - "version": 2 + "version": 3 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "3bb11d5684b0514f8d1a5326d1645b8787ea37ae7731db6df5e7d94945f6ef1c", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "4cbd3242743b94fc54ec1eff6658bdf2a9009dad93fccbc3354272cc5c10196e", - "type": "eql", - "version": 213 - } - }, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "0265f205075afb8a44fcc9339b9b8e7819b11ee960a7fcadff4ef19c40407944", + "sha256": "a35c35cbe5c561bc2a55870adf6ca6f81a6001256e2ef3dd13a4d394e2dbed3a", "type": "eql", - "version": 313 + "version": 314 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "rule_name": "Potential Privilege Escalation via Linux DAC permissions", - "sha256": "6a6d4fc7401921ef468189f6dbd0c74591dd1d15fcab4c0f5b4033610123be2c", + "sha256": "a532a89c0b87d8d326dd30af07959a5f51ed166fa6ad3649d33a3c6f83244105", "type": "new_terms", - "version": 4 + "version": 5 }, - "f81ee52c-297e-46d9-9205-07e66931df26": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "e36c1fdb2b34568b5431017b6d35a86a116bc34c7b9af52fbfeaf4548233dac3", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "a577211254c57b0fba47713de661ab81bc197366995a8d14d939f8667dde3ffa", - "type": "eql", - "version": 210 - } - }, + "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "fc3a25445b0ecc88878661c840092042b33a21a6b66a2307253219ea04c67913", + "sha256": "4b7054b8e93f511955f986fcb9c0790f8bb47247136d1f413860f8d12bc18b3c", "type": "eql", - "version": 310 + "version": 311 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "402f5404fef876bbbd2aba0a471857bb32c2a7c711af599817c9834d0db5c2be", + "sha256": "b082e34dc5445d9d4563b01d9de2f7d44bad034e4d4ee87eb5094a6f8748b28a", "type": "query", - "version": 107 + "version": 108 }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "12e7c55fee43e3358537c176334e6b7cd84b05d2c67c317c3fd90c4e662fb744", + "sha256": "0c78ea160d14b7000a86ab7c9806b3b72fcf62f3a5b1c11da809f266711e06e2", "type": "eql", - "version": 5 + "version": 6 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 211, - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "f2423851bfbeefbfcda2a745c74dc1370032a6f7cfe9efbc981454ee74130559", - "type": "eql", - "version": 212 - } - }, "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "0514fd1665b1dca73aee98091741b1265ecf43a5d052dae60fc15595c8f553bc", + "sha256": "978f896c1de693c78158bf929f0f3fd25ad09e99fc1e0276ebaa53e9781e1ddb", "type": "eql", - "version": 312 + "version": 313 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Prevented - Elastic Defend", - "sha256": "d1c898be638d5096dd716fa069d4f97939ae4f046843453bfc9ed889ab139d89", + "sha256": "73832f7d366d1bc467bd6c2e62319bb426f6a20c40bf11e45cd6b8d2d4481c9d", "type": "query", - "version": 3 + "version": 4 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 103, - "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "29c2ae7b2d50ee5ef2f2bcf97f7765c9e3fd3285a0a90abc25a099698c75201d", - "type": "query", - "version": 6 - } - }, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "6ba1bf053fdf699e3aec2f40f34fc6e5a4213ec85fc037f203b85e7f7e59a4d9", + "sha256": "6d6c29f6c4d74cb4b200b2a08fbf6d6b1f2faf58e2e057a0beb744ecc04c44b7", "type": "query", - "version": 106 + "version": 107 }, "f909075d-afc7-42d7-b399-600b94352fd9": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "e26f15abdf56aa1b61415ba7dc51da814455d36335a30451a9089c7e28074d99", - "type": "eql", - "version": 2 - } - }, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "2e15e1eb9f168cbe35162f3f54f7fafe7bd69c93f20be54a0724c2a79542ebd7", + "sha256": "365068a846f9feb609c7b78a42aa7600e72d3308dd0c4a83e8285247d7a2687b", "type": "eql", - "version": 103 + "version": 104 }, "f94e898e-94f1-4545-8923-03e4b2866211": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", - "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", - "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", + "sha256": "c8febe9de61b30b53213808729444c7bbd5b6a06aba843d8950832c61c11ec46", "type": "new_terms", - "version": 204 + "version": 205 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "d11d9b7a7104ede9ec52c99b7a22fda51997f927c44ba71a8317a0870bf39b4d", + "sha256": "e8d165c269c7428465ad2000b0408d4c755f74f15735d1dd4bcb716ded33abf5", "type": "machine_learning", - "version": 106 + "version": 107 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "a65eed2cc5b097a57b4e7baac0a286e05e9272a546e2fa4ef98c84b45efbaccc", + "sha256": "141bfb7030bbb08d0e760a80ca58530ee3948f9a4ea1b9286f19d4b1561ef7f4", "type": "eql", - "version": 9 + "version": 10 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 101, - "rule_name": "Browser Extension Install", - "sha256": "13264d82b596b30f4a39bca88800139df7d59f7e5714ac3294aecb8adb693f2b", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Browser Extension Install", - "sha256": "2813c84680c133570b552af8010cab5df5b2cf9ce045b7cb05716d286729bcdf", - "type": "eql", - "version": 103 - } - }, "rule_name": "Browser Extension Install", - "sha256": "420b3c2fb3cad25f5312065eb38e2944b8220eac1111dba2dd1088b95141b687", + "sha256": "826590a84d9b071c5ec21397f04b4937f65efe10243e39f4c278559bd586ecf8", "type": "eql", - "version": 203 + "version": 204 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 109, - "rule_name": "Privileged Account Brute Force", - "sha256": "47b50b29f44c12811728607a941a9e0e41788b4bf9a46e739700c9b40261cd5f", - "type": "eql", - "version": 12 - } - }, "rule_name": "Privileged Account Brute Force", - "sha256": "ed7080268b9fbed899ea78e7e762a2895ae5e18afed44aa1df3c997525874bf6", + "sha256": "fd9cb608c0a9828af517dfcdf15ce5c04ea3a4193c748cd9b8ae22b0a587a769", "type": "eql", - "version": 112 + "version": 113 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.15", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 307, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", - "type": "query", - "version": 310 } }, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "9f8a0e0868d43b262c98653adb7bed57c23c2509b0fec88ebeb33b1a92853293", + "sha256": "500952a580afbbe6390f58f3f0b31699454e0cb7b77461a38bd6e97e96fc0823", "type": "query", - "version": 410 + "version": 411 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "51e2f2e64af9db1e8aff099e445cf685c9af9929b2a4dc5c5e041d2cd8d6caa9", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "3d4b0d2242c7cd5acdcd0a38384b7f696c1f8811eee13cbbad561ce3c97eb99d", - "type": "eql", - "version": 213 - } - }, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "f44d655cddfab574bad8ba3b58410fce4204c988aae453914b18474b396ea244", + "sha256": "e4fb0a015aa8b65e02295635ca3ac4260ce3020719a2516bc90aaa6ae8a10a88", "type": "eql", - "version": 314 + "version": 315 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "c8d1d95ef6525a3da18e35d890b332565c8b7453a7c89f16c87080264772d9ac", + "sha256": "29bdb805f822d6e12dbf157fca185fb0ca8d0fb3e4534b668e5a2907818ac590", "type": "eql", - "version": 8 + "version": 9 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "ede3e3c7248ecf6e1f840d2bdc7b319a96a0b3eb97e6051872ad5b77a370e616", + "sha256": "c77ce42170e490ff1ba4ea8faa76d7ec4d182cc217a3dcf536002aa72522ccd3", "type": "eql", - "version": 9 + "version": 10 }, "fa488440-04cc-41d7-9279-539387bf2a17": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 108, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "e416bd900c26017a9a2e60990ee7ae09ced3df13618bbbc45b29fb2340de74d1", - "type": "eql", - "version": 11 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "34eeb28ee7412555964397a4969d1d55098b05a4107dd4330ea8ac5dd242d54e", - "type": "eql", - "version": 214 - } - }, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "d4eaa3dfb8b078f3a464ad91d4dcd5424f2faf343c977d6dd7df44cc08e87065", + "sha256": "fe1ebe6319e71072a2d03a4dc28721626704ef8ce2709ab2c3a611fe1f408f6c", "type": "eql", - "version": 315 + "version": 316 }, "fac52c69-2646-4e79-89c0-fd7653461010": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "Potential Disabling of AppArmor", - "sha256": "dcc5486dac299e23f474eb39e2b40231213ec061f4460cc66cbd25bc8ea1b927", - "type": "eql", - "version": 8 - } - }, "rule_name": "Potential Disabling of AppArmor", - "sha256": "a7096f2d6c73fe27e1f80b1da2c040a60eb8eb8d159f2eb8af2f6bbb2cb3dcc2", + "sha256": "bb42054256c8efdc34beb46fc6e70910e74d2120c46ff3d72c1368c8da9f12ae", "type": "eql", - "version": 109 + "version": 110 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd", + "sha256": "bc6183f19ad1f24925c495908e60195dfc34f3dc766fc14f6509ef305b27adca", "type": "eql", - "version": 105 + "version": 106 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Registration Utility", - "sha256": "b4eed2ddeb40f2bbedc702c4789e5748c0f303fb263208a2bdcd2974c12346b5", - "type": "eql", - "version": 109 - } - }, "rule_name": "Network Connection via Registration Utility", - "sha256": "c04bf7494ed4c20a8a87bbe9bb3f2876b8e92b7af292dfac1b2d2f847593dcad", + "sha256": "96d70c929fa6fb5d9cea50c41a975483d087021946d39373018bbd16942899fa", "type": "eql", - "version": 209 + "version": 210 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "1b149111089ed10df74c8975a4801b321f429cbc00bddf77eebd2f154d5355e0", - "type": "threshold", - "version": 105 - } - }, "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "babeac41d262653f7ef7c8bddf78a7573fb7894ae7b8c2c9b3f48fc07ef6452c", + "sha256": "f4b56d13ce48941d2efb1d7801030f018576d296074043e78b2560ca17f3f8b7", "type": "threshold", - "version": 205 + "version": 206 }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { - "min_stack_version": "8.13", "rule_name": "Azure OpenAI Insecure Output Handling", - "sha256": "5c688822ac431693ee2b4997dcf5f420f610ce923f4235bde962d0b0b5df90d7", + "sha256": "e58142a8bf546e096bbe8c91f73efb44d1322b1e0f14f51a6b33f10b5d5a22ca", "type": "esql", - "version": 1 + "version": 2 + }, + "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { + "min_stack_version": "8.18", + "rule_name": "Unusual Group Name Accessed by a User", + "sha256": "715017840362b90c4afc02cefbe632e15e6d399776f483595f96935fad0a2d20", + "type": "machine_learning", + "version": 2 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -15653,84 +9041,54 @@ "type": "query", "version": 100 }, + "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { + "min_stack_version": "8.18", + "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", + "sha256": "4ec1208b05ec3c1dc1fc85bcec71cad131095d4f37cae134a8fba3f7b2817cf4", + "type": "machine_learning", + "version": 2 + }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "7953f99ece9b3629d330947f9c59294d7504c35d5eb9415e8410833f95063b4d", + "sha256": "2bfe0f09fa75c7ec1a04cbc48f009f03b0613c9d3197f8ba8ca079549ac39130", "type": "query", - "version": 207 + "version": 208 }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", - "sha256": "0463c0b25ecbc17c558c90dfd80f29d64776de9fba2451a8768448d09293b378", + "sha256": "1a83fa4c6a14a474917bcde7203eae0d54d7984b570d2c977434d743c4d3b893", "type": "query", - "version": 2 + "version": 3 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "59543020be10655d8e81766d6a80fb95792cda6820556f739905cb54943ddbce", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "80e05f76dd4e8c2e94bdbd3924f85a5877d9ff5a47c410d308b96f7a1d390525", - "type": "eql", - "version": 210 - } - }, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "afa60af2586a1e3458855aa64f4d3fbbfe063c3f35b3abc5a840d616f77d9841", + "sha256": "dcea71ecff59d032273a925076f445c9eb7ed317f1a835955e72c20e47e4e9d7", "type": "eql", - "version": 310 + "version": 311 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", - "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", - "type": "new_terms", - "version": 104 - } - }, "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", - "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", + "sha256": "5afd2b4b47f8daf777747d5b54d3f43adeab8ebfc2a601d75add27b50a1ed9d0", "type": "new_terms", - "version": 204 + "version": 205 }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", - "sha256": "e492a1d379ef0524d4b531024a7edf8a09e7b8174850fd8fd2d8824d76499df7", + "sha256": "245c08ce291397722aad60cc96a145e36c9de1dc7bbeb34cd8f024537a60c65f", "type": "eql", - "version": 4 + "version": 5 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { - "min_stack_version": "8.13", - "previous": { - "8.12": { - "max_allowable_version": 203, - "rule_name": "GitHub App Deleted", - "sha256": "c0689f3c0e7636572f0800557c0480309dbcf71e0107dc51b0ed362728a0c927", - "type": "eql", - "version": 105 - } - }, "rule_name": "GitHub App Deleted", - "sha256": "77d5e70dceb83e72c91dec0a125b56e67e4f66b20ca31374060260c91887c03d", + "sha256": "3bce82896faacb7aff9e395f0caccc11bbf9d9fe26ccb4e6b342c85282f71ae2", "type": "eql", - "version": 205 + "version": 206 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", - "sha256": "7c1af1a785726996f19edad02af0353a331e9ccd7a6095127460e2ee4da6beb0", + "sha256": "bcef80ce99e0643f140c1de7d1783bc828dcfec98f90defdc502a0748814e98b", "type": "new_terms", - "version": 3 + "version": 4 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -15739,257 +9097,135 @@ "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 210, - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "1ddee753094159e636e994613c0a04ccd3e560927f3709a93fe7d8eff775b79e", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "09749f912d0f05abcfbd2cfc5517db716e29e39627f25bcfe727de8cf2455d62", - "type": "eql", - "version": 213 - } - }, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "ecad7f4f5f9d2d94f799155a9d4edf26afe515204c3d70ccf998bb5c38a05820", + "sha256": "c6c598691891c47021b15584b386467669892b9e281b280041da2b25bbaab41c", "type": "eql", - "version": 314 + "version": 315 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 209, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "379008bb580fbcb724bd44937e0f2111250767511073c4d6fe5bf58915e22fa7", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "0d6fb82afcda861a6b2d317f524c33af9bdc4bef870304c2dbb53d186692501c", - "type": "eql", - "version": 212 - } - }, "rule_name": "Suspicious CertUtil Commands", - "sha256": "b78d113de0bcc2d10346ef3dcedc2bb6f2425ad39eb45da5c6599ebf70360488", + "sha256": "772055d2718256f4bc19e3cac6e4e64c6088b46cc33c2b5a00130092f9dd6a1e", "type": "eql", - "version": 313 + "version": 314 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 317, - "rule_name": "Svchost spawning Cmd", - "sha256": "a61a30ecc9514cb3b5eb1f9d31f97e104e4a51cffd65cbe67fad341835938bfe", - "type": "new_terms", - "version": 220 - }, - "8.13": { - "max_allowable_version": 417, - "rule_name": "Svchost spawning Cmd", - "sha256": "8b25fa755b63d74097491bf3d52c9edec8d0b5234cfdd6cb62e4f5ac32198bc4", - "type": "new_terms", - "version": 320 - } - }, "rule_name": "Svchost spawning Cmd", - "sha256": "70083ab8bb26ab3862c4b0f8f287939374e513aa751728554cde9ac66f4f0565", + "sha256": "c12de214d8a61bf3934ce116d3def9a9b0fbd4e380cf29ebddc611afaefdb3a1", "type": "new_terms", - "version": 420 + "version": 421 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", - "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", + "sha256": "c7dd523ee995702801df4e72a048f9b2b9dad4d22dd7e2d6fcb5f1053e3b9565", "type": "eql", - "version": 2 + "version": 3 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", - "sha256": "3f455b9a9fc20d9dca4d989e3236437d2b7c702d96e34fe01c0e21181bd9cc34", + "sha256": "7458239562922c07fa5fbe2b57f0a32dca9b7d369e61c7c9f45b07992bed5ef2", "type": "eql", - "version": 14 + "version": 15 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "87b8915f4df4e07283d519a5459b89600a2e9018c07136f10a454968ecec7522", - "type": "query", - "version": 8 - } - }, "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "21800d17e1a701df364ecf5e4dc921c47a9978bd53f4290052756476349613b3", + "sha256": "3b7fcc833ae29993f5bfe461f349a924b0c644144a0b0f95cb70569620d93210", "type": "query", - "version": 108 + "version": 109 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 106, - "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b", + "sha256": "0c0ad1b4bf53280691b565421d24f30731e7da0b8573ebd7917751d738300334", "type": "query", - "version": 107 + "version": 108 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 213, - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "7574ee875c1c9a825dfefa55b0b3b243f5cc25a3f4c7b2a4db8e22dd0cd9b2c5", - "type": "eql", - "version": 214 - } - }, "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "cb03d4fedad0f761b8ee747dbf555bfea74c2931a6f2dd3f82004c0cc1571b65", + "sha256": "8d1e6c74b1ae7a9611c49028b02b99bd23f963bb5bf0821aab7e371e2f41c960", "type": "eql", - "version": 314 + "version": 315 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "rule_name": "Spike in host-based traffic", - "sha256": "baa59da5dcb208d63be6ca6420e0b62e2ca919aef3ddcb747743d03641a266e9", + "sha256": "e0962989a3dbad4777296e03170eeebe7294b77bb30f7d650fca6cd5a0b18530", "type": "machine_learning", - "version": 1 + "version": 2 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "6d71e2f5b064aa990886b9f8855595def2146202b93e657c62c021e3bc852c84", + "sha256": "da0ccb019dbc333fae22d23cadf1cceeb29c548ecd554876b8612b15a933cff6", "type": "eql", - "version": 5 + "version": 6 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", - "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", + "sha256": "d604b333438108e727726a282d13876877fa1093ef87fa798a947dae38992c37", "type": "eql", - "version": 2 + "version": 3 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 207, - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "02f53b9ca7444dd33ade4085a8403f9f14298ad57e5cad93a2ba6bb6c64fd758", - "type": "eql", - "version": 208 - } - }, "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "99cf8e49260a71f7e543cba491822d4fa747aac63b25532628d89de61e7b5e56", + "sha256": "b5bef117c3bf90e07665205a5aeb8720b92fd6832d7a0eea06807810b1aacbee", "type": "eql", - "version": 308 + "version": 309 }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", - "sha256": "4f8d4f17d7899a44961b0ed15bd61e32234c08c800dddbae9b75aa238bf40541", + "sha256": "ae175e80b6aaab67de73cce3fa316cf038329133246fbbb8530593296fc53e5b", "type": "eql", - "version": 2 + "version": 3 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "7c706cb36925b68e3326c38052f0bc6a5afdfc8ef02a33dc200e92fae09dbb2f", + "sha256": "289575012fab7680dceb4a5488997db3ff25490b3e9cc11f4f5c79d4b521073c", "type": "query", - "version": 105 + "version": 106 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "rule_name": "Potential DGA Activity", - "sha256": "ef8f045d4a373ebb67741cef329ed0e2b3a356b64978bd6dcad9716fb2f3f592", + "sha256": "c4c19185520ea14036cdc56468c062d97740dd9cdabc439e38952c4734606e89", "type": "machine_learning", - "version": 6 + "version": 7 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", - "sha256": "2bb9047a12faecde8952e7f0bfe8c12187345c8e1016fdd19c1ebcfdb379f298", + "sha256": "a78d0a5dc23c4a969c9c6451f59877e6ff8407d12b3c6778908e518e569f718c", "type": "eql", - "version": 15 + "version": 16 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", - "sha256": "cb20be6b7c6db1a5ba68b0ab829e75e5faad09e13d4ad4db8d1d303a36958a26", + "sha256": "05b250fcc47ff4c1499f73732e4379f5b86aca4a3ca05cfaba3307e81a4abee2", "type": "query", - "version": 3 + "version": 4 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", - "sha256": "af8119ce553fafb567f949620657a037808e29169ff198277765c4f54f6aea09", + "sha256": "350a799cf5760880128b6ea530377bd17aa0e79d9b14a4a9a06993f70a2215ff", "type": "eql", - "version": 11 + "version": 12 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "fd7869fa1dfb7814d85e599eddf43e2fe64eeff6d58e4bc655b81add4f748fe5", + "sha256": "06fa97e4725cff7836b459fdebcc3426aa43801813621eb22c18240e107a1c14", "type": "query", - "version": 207 + "version": 208 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { - "min_stack_version": "8.14", - "previous": { - "8.12": { - "max_allowable_version": 100, - "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "142aa8456d0c3151257b8d40bb29b00d7880561940ea1366b6c850725a7fa90b", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "593b01d8d7d60109ab9ad569f65be57c3c9e8efb4590d58f871e61d7ba6a8cfa", - "type": "eql", - "version": 102 - } - }, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "1b182aabc1a25362770238d8e6fbd5d91def7ad420cbd29f0ec914985f603673", + "sha256": "c002e7a00a7aca82906cee1a36dcfe457cfa6c5bd2de883b4756e7950a71d916", "type": "eql", - "version": 202 + "version": 203 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", - "sha256": "dbdeafa2e40515c24f4df798e5a2d653973541813b5f25cad1c52cf8e334f69f", + "sha256": "249c67c2eb2e5057e0fc32b5f202a72dcfd125edd060d61622f98fe047847404", "type": "query", - "version": 105 + "version": 106 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.16", "previous": { - "8.12": { + "8.14": { "max_allowable_version": 106, "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "b3468a2a0f4b606f04c16270c18b6b7d2a77491078aa852a13f671f64b328173", @@ -15998,8 +9234,14 @@ } }, "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "5d48f1579b67e658a9ebfd53af34e7acdd767d850d05135ee9de6568e1f9d791", + "sha256": "8ecbdf47549e8e6e0505419841a833ab7e99e2fad93086226015e3cddcd843f2", "type": "eql", - "version": 109 + "version": 110 + }, + "ffa676dc-09b0-11f0-94ba-b66272739ecb": { + "rule_name": "Unusual Network Connection to Suspicious Top Level Domain", + "sha256": "d9e6208c442ead0db826b31365ab398f087b999dc652e9f0f0aa31601109b67a", + "type": "new_terms", + "version": 2 } } \ No newline at end of file diff --git a/detection_rules/kbwrap.py b/detection_rules/kbwrap.py index bd3b14b756b..c5feebc021a 100644 --- a/detection_rules/kbwrap.py +++ b/detection_rules/kbwrap.py @@ -24,7 +24,7 @@ from .main import root from .misc import add_params, client_error, kibana_options, get_kibana_client, nested_set from .rule import downgrade_contents_from_rule, TOMLRuleContents, TOMLRule -from .rule_loader import RuleCollection +from .rule_loader import RuleCollection, update_metadata_from_file from .utils import format_command_options, rulename_to_filename RULES_CONFIG = parse_rules_config() @@ -108,27 +108,44 @@ def _parse_list_id(s: str): # Re-try to address known Kibana issue: https://github.com/elastic/kibana/issues/143864 workaround_errors = [] + workaround_error_types = set() flattened_exceptions = [e for sublist in exception_dicts for e in sublist] all_exception_list_ids = {exception["list_id"] for exception in flattened_exceptions} click.echo(f'{len(response["errors"])} rule(s) failed to import!') + action_connector_validation_error = "Error validating create data" + action_connector_type_error = "expected value of type [string] but got [undefined]" for error in response['errors']: - click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error["error"]["message"]}') + error_message = error["error"]["message"] + click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error_message}') - if "references a non existent exception list" in error["error"]["message"]: - list_id = _parse_list_id(error["error"]["message"]) + if "references a non existent exception list" in error_message: + list_id = _parse_list_id(error_message) if list_id in all_exception_list_ids: workaround_errors.append(error["rule_id"]) + workaround_error_types.add("non existent exception list") + + if action_connector_validation_error in error_message and action_connector_type_error in error_message: + workaround_error_types.add("connector still being built") if workaround_errors: workaround_errors = list(set(workaround_errors)) - click.echo(f'Missing exception list errors detected for {len(workaround_errors)} rules. ' - 'Try re-importing using the following command and rule IDs:\n') - click.echo('python -m detection_rules kibana import-rules -o ', nl=False) - click.echo(' '.join(f'-id {rule_id}' for rule_id in workaround_errors)) - click.echo() + if "non existent exception list" in workaround_error_types: + click.echo( + f"Missing exception list errors detected for {len(workaround_errors)} rules. " + "Try re-importing using the following command and rule IDs:\n" + ) + click.echo("python -m detection_rules kibana import-rules -o ", nl=False) + click.echo(" ".join(f"-id {rule_id}" for rule_id in workaround_errors)) + click.echo() + if "connector still being built" in workaround_error_types: + click.echo( + f"Connector still being built errors detected for {len(workaround_errors)} rules. " + "Please try re-importing the rules again." + ) + click.echo() def _process_imported_items(imported_items_list, item_type_description, item_key): """Displays appropriately formatted success message that all items imported successfully.""" @@ -182,12 +199,18 @@ def _process_imported_items(imported_items_list, item_type_description, item_key @click.option("--export-exceptions", "-e", is_flag=True, help="Include exceptions in export") @click.option("--skip-errors", "-s", is_flag=True, help="Skip errors when exporting rules") @click.option("--strip-version", "-sv", is_flag=True, help="Strip the version fields from all rules") +@click.option("--no-tactic-filename", "-nt", is_flag=True, + help="Exclude tactic prefix in exported filenames for rules. " + "Use same flag for import-rules to prevent warnings and disable its unit test.") +@click.option("--local-creation-date", "-lc", is_flag=True, help="Preserve the local creation date of the rule") +@click.option("--local-updated-date", "-lu", is_flag=True, help="Preserve the local updated date of the rule") @click.pass_context def kibana_export_rules(ctx: click.Context, directory: Path, action_connectors_directory: Optional[Path], exceptions_directory: Optional[Path], default_author: str, rule_id: Optional[Iterable[str]] = None, export_action_connectors: bool = False, - export_exceptions: bool = False, skip_errors: bool = False, strip_version: bool = False - ) -> List[TOMLRule]: + export_exceptions: bool = False, skip_errors: bool = False, strip_version: bool = False, + no_tactic_filename: bool = False, local_creation_date: bool = False, + local_updated_date: bool = False) -> List[TOMLRule]: """Export custom rules from Kibana.""" kibana = ctx.obj["kibana"] kibana_include_details = export_exceptions or export_action_connectors @@ -215,6 +238,8 @@ def kibana_export_rules(ctx: click.Context, directory: Path, action_connectors_d return [] rules_results = results + action_connector_results = [] + exception_results = [] if kibana_include_details: # Assign counts to variables rules_count = results[-1]["exported_rules_count"] @@ -242,22 +267,27 @@ def kibana_export_rules(ctx: click.Context, directory: Path, action_connectors_d rule_resource["author"] = rule_resource.get("author") or default_author or [rule_resource.get("created_by")] if isinstance(rule_resource["author"], str): rule_resource["author"] = [rule_resource["author"]] - # Inherit maturity from the rule already exists - maturity = "development" + # Inherit maturity and optionally local dates from the rule if it already exists + params = { + "rule": rule_resource, + "maturity": "development", + } threat = rule_resource.get("threat") first_tactic = threat[0].get("tactic").get("name") if threat else "" - rule_name = rulename_to_filename(rule_resource.get("name"), tactic_name=first_tactic) - # check if directory / f"{rule_name}" exists - if (directory / f"{rule_name}").exists(): - rules = RuleCollection() - rules.load_file(directory / f"{rule_name}") - if rules: - maturity = rules.rules[0].contents.metadata.maturity - - contents = TOMLRuleContents.from_rule_resource( - rule_resource, maturity=maturity + # Check if flag or config is set to not include tactic in the filename + no_tactic_filename = no_tactic_filename or RULES_CONFIG.no_tactic_filename + # Check if the flag is set to not include tactic in the filename + tactic_name = first_tactic if not no_tactic_filename else None + rule_name = rulename_to_filename(rule_resource.get("name"), tactic_name=tactic_name) + + save_path = directory / f"{rule_name}" + params.update( + update_metadata_from_file( + save_path, {"creation_date": local_creation_date, "updated_date": local_updated_date} + ) ) - rule = TOMLRule(contents=contents, path=directory / f"{rule_name}") + contents = TOMLRuleContents.from_rule_resource(**params) + rule = TOMLRule(contents=contents, path=save_path) except Exception as e: if skip_errors: print(f'- skipping {rule_resource.get("name")} - {type(e).__name__}') diff --git a/detection_rules/main.py b/detection_rules/main.py index b07e4c77625..1e1dcfcac06 100644 --- a/detection_rules/main.py +++ b/detection_rules/main.py @@ -32,7 +32,7 @@ ) from .rule import TOMLRule, TOMLRuleContents, QueryRuleData from .rule_formatter import toml_write -from .rule_loader import RuleCollection +from .rule_loader import RuleCollection, update_metadata_from_file from .schemas import all_versions, definitions, get_incompatible_fields, get_schema_file from .utils import Ndjson, get_path, get_etc_path, clear_caches, load_dump, load_rule_contents, rulename_to_filename @@ -128,10 +128,13 @@ def generate_rules_index(ctx: click.Context, query, overwrite, save_files=True): @click.option("--skip-errors", "-ske", is_flag=True, help="Skip rule import errors") @click.option("--default-author", "-da", type=str, required=False, help="Default author for rules missing one") @click.option("--strip-none-values", "-snv", is_flag=True, help="Strip None values from the rule") +@click.option("--local-creation-date", "-lc", is_flag=True, help="Preserve the local creation date of the rule") +@click.option("--local-updated-date", "-lu", is_flag=True, help="Preserve the local updated date of the rule") def import_rules_into_repo(input_file: click.Path, required_only: bool, action_connector_import: bool, exceptions_import: bool, directory: click.Path, save_directory: click.Path, action_connectors_directory: click.Path, exceptions_directory: click.Path, - skip_errors: bool, default_author: str, strip_none_values: bool): + skip_errors: bool, default_author: str, strip_none_values: bool, local_creation_date: bool, + local_updated_date: bool): """Import rules from json, toml, or yaml files containing Kibana exported rule(s).""" errors = [] rule_files = glob.glob(os.path.join(directory, "**", "*.*"), recursive=True) if directory else [] @@ -179,6 +182,12 @@ def import_rules_into_repo(input_file: click.Path, required_only: bool, action_c if isinstance(contents["author"], str): contents["author"] = [contents["author"]] + contents.update( + update_metadata_from_file( + Path(rule_path), {"creation_date": local_creation_date, "updated_date": local_updated_date} + ) + ) + output = rule_prompt( rule_path, required_only=required_only, diff --git a/detection_rules/misc.py b/detection_rules/misc.py index 989d78f0f10..dcf1fc51ad0 100644 --- a/detection_rules/misc.py +++ b/detection_rules/misc.py @@ -16,19 +16,7 @@ import click import requests - -# this is primarily for type hinting - all use of the github client should come from GithubClient class -try: - from github import Github - from github.Repository import Repository - from github.GitRelease import GitRelease - from github.GitReleaseAsset import GitReleaseAsset -except ImportError: - # for type hinting - Github = None # noqa: N806 - Repository = None # noqa: N806 - GitRelease = None # noqa: N806 - GitReleaseAsset = None # noqa: N806 +from kibana import Kibana from .utils import add_params, cached, get_path, load_etc_dump @@ -348,57 +336,28 @@ def get_elasticsearch_client(cloud_id: str = None, elasticsearch_url: str = None client_error(error_msg, e, ctx=ctx, err=True) -def get_kibana_client(cloud_id: str, kibana_url: str, kibana_user: str, kibana_password: str, kibana_cookie: str, - space: str, ignore_ssl_errors: bool, provider_type: str, provider_name: str, api_key: str, - **kwargs): +def get_kibana_client( + *, + api_key: str, + cloud_id: str | None = None, + kibana_url: str | None = None, + space: str | None = None, + ignore_ssl_errors: bool = False, + **kwargs +): """Get an authenticated Kibana client.""" - from requests import HTTPError - from kibana import Kibana - if not (cloud_id or kibana_url): client_error("Missing required --cloud-id or --kibana-url") - if not (kibana_cookie or api_key): - # don't prompt for these until there's a cloud id or Kibana URL - kibana_user = kibana_user or click.prompt("kibana_user") - kibana_password = kibana_password or click.prompt("kibana_password", hide_input=True) - verify = not ignore_ssl_errors - - with Kibana(cloud_id=cloud_id, kibana_url=kibana_url, space=space, verify=verify, **kwargs) as kibana: - if kibana_cookie: - kibana.add_cookie(kibana_cookie) - return kibana - elif api_key: - kibana.add_api_key(api_key) - return kibana - - try: - kibana.login(kibana_user, kibana_password, provider_type=provider_type, provider_name=provider_name) - except HTTPError as exc: - if exc.response.status_code == 401: - err_msg = f'Authentication failed for {kibana_url}. If credentials are valid, check --provider-name' - client_error(err_msg, exc, err=True) - else: - raise - - return kibana + return Kibana(cloud_id=cloud_id, kibana_url=kibana_url, space=space, verify=verify, api_key=api_key, **kwargs) client_options = { 'kibana': { - 'cloud_id': click.Option(['--cloud-id'], default=getdefault('cloud_id'), - help="ID of the cloud instance."), - 'api_key': click.Option(['--api-key'], default=getdefault('api_key')), - 'kibana_cookie': click.Option(['--kibana-cookie', '-kc'], default=getdefault('kibana_cookie'), - help='Cookie from an authed session'), - 'kibana_password': click.Option(['--kibana-password', '-kp'], default=getdefault('kibana_password')), 'kibana_url': click.Option(['--kibana-url'], default=getdefault('kibana_url')), - 'kibana_user': click.Option(['--kibana-user', '-ku'], default=getdefault('kibana_user')), - 'provider_type': click.Option(['--provider-type'], default=getdefault('provider_type'), - help="Elastic Cloud providers: basic and saml (for SSO)"), - 'provider_name': click.Option(['--provider-name'], default=getdefault('provider_name'), - help="Elastic Cloud providers: cloud-basic and cloud-saml (for SSO)"), + 'cloud_id': click.Option(['--cloud-id'], default=getdefault('cloud_id'), help="ID of the cloud instance."), + 'api_key': click.Option(['--api-key'], default=getdefault('api_key')), 'space': click.Option(['--space'], default=None, help='Kibana space'), 'ignore_ssl_errors': click.Option(['--ignore-ssl-errors'], default=getdefault('ignore_ssl_errors')) }, diff --git a/detection_rules/remote_validation.py b/detection_rules/remote_validation.py index c00d3bc37cc..db30c5e953c 100644 --- a/detection_rules/remote_validation.py +++ b/detection_rules/remote_validation.py @@ -41,10 +41,7 @@ class RemoteConnector: def __init__(self, parse_config: bool = False, **kwargs): es_args = ['cloud_id', 'ignore_ssl_errors', 'elasticsearch_url', 'es_user', 'es_password', 'timeout'] - kibana_args = [ - 'cloud_id', 'ignore_ssl_errors', 'kibana_url', 'kibana_user', 'kibana_password', 'space', 'kibana_cookie', - 'provider_type', 'provider_name' - ] + kibana_args = ['cloud_id', 'ignore_ssl_errors', 'kibana_url', 'api_key', 'space'] if parse_config: es_kwargs = {arg: getdefault(arg)() for arg in es_args} @@ -73,17 +70,25 @@ def auth_es(self, *, cloud_id: Optional[str] = None, ignore_ssl_errors: Optional es_password=es_password, timeout=timeout, **kwargs) return self.es_client - def auth_kibana(self, *, cloud_id: Optional[str] = None, ignore_ssl_errors: Optional[bool] = None, - kibana_url: Optional[str] = None, kibana_user: Optional[str] = None, - kibana_password: Optional[str] = None, space: Optional[str] = None, - kibana_cookie: Optional[str] = None, provider_type: Optional[str] = None, - provider_name: Optional[str] = None, **kwargs) -> Kibana: + def auth_kibana( + self, + *, + api_key: str, + cloud_id: str | None = None, + kibana_url: str | None = None, + space: str | None = None, + ignore_ssl_errors: bool = False, + **kwargs + ) -> Kibana: """Return an authenticated Kibana client.""" - self.kibana_client = get_kibana_client(cloud_id=cloud_id, ignore_ssl_errors=ignore_ssl_errors, - kibana_url=kibana_url, kibana_user=kibana_user, - kibana_password=kibana_password, space=space, - kibana_cookie=kibana_cookie, provider_type=provider_type, - provider_name=provider_name, **kwargs) + self.kibana_client = get_kibana_client( + cloud_id=cloud_id, + ignore_ssl_errors=ignore_ssl_errors, + kibana_url=kibana_url, + api_key=api_key, + space=space, + **kwargs + ) return self.kibana_client diff --git a/detection_rules/rule_loader.py b/detection_rules/rule_loader.py index b04d00b794a..a56253686ba 100644 --- a/detection_rules/rule_loader.py +++ b/detection_rules/rule_loader.py @@ -18,7 +18,8 @@ from . import utils from .config import parse_rules_config from .rule import ( - DeprecatedRule, DeprecatedRuleContents, DictRule, TOMLRule, TOMLRuleContents + DeprecatedRule, DeprecatedRuleContents, DictRule, TOMLRule, + TOMLRuleContents ) from .schemas import definitions from .utils import cached, get_path @@ -116,6 +117,20 @@ def load_locks_from_tag(remote: str, tag: str, version_lock: str = 'detection_ru return commit_hash, version, deprecated +def update_metadata_from_file(rule_path: Path, fields_to_update: dict) -> dict: + """Update metadata fields for a rule with local contents.""" + contents = {} + if not rule_path.exists(): + return contents + local_metadata = RuleCollection().load_file(rule_path).contents.metadata.to_dict() + if local_metadata: + contents["maturity"] = local_metadata.get("maturity", "development") + for field_name, should_update in fields_to_update.items(): + if should_update and field_name in local_metadata: + contents[field_name] = local_metadata[field_name] + return contents + + @dataclass class BaseCollection: """Base class for collections.""" diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index 2b988cce600..98506eeb2bd 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -303,6 +303,18 @@ def migrate_to_8_17(version: Version, api_contents: dict) -> dict: return strip_additional_properties(version, api_contents) +@migrate("8.18") +def migrate_to_8_18(version: Version, api_contents: dict) -> dict: + """Default migration for 8.18.""" + return strip_additional_properties(version, api_contents) + + +@migrate("9.0") +def migrate_to_9_0(version: Version, api_contents: dict) -> dict: + """Default migration for 9.0.""" + return strip_additional_properties(version, api_contents) + + def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" from ..packaging import current_stack_version diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 1d8002cf06f..bca4b212c27 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -178,7 +178,7 @@ def validator(value): 'Use Case: Vulnerability' ] NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1)) -MACHINE_LEARNING_PACKAGES = ['LMD', 'DGA', 'DED', 'ProblemChild', 'Beaconing'] +MACHINE_LEARNING_PACKAGES = ['LMD', 'DGA', 'DED', 'ProblemChild', 'Beaconing', 'PAD'] AlertSuppressionGroupBy = NewType('AlertSuppressionGroupBy', List[NonEmptyStr], validate=validate.Length(min=1, max=3)) AlertSuppressionMissing = NewType('AlertSuppressionMissing', str, validate=validate.OneOf(['suppress', 'doNotSuppress'])) diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index d8ce057bbb4..45b8b837aad 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -30,7 +30,6 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-indexes-logs-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-aws.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-azure.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-azureWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-azureWILDCARD.json&leave_site_dialog=false&tabs=false)| -|[Elastic-detection-rules-indexes-logs-cloud_defendWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-cloud_defendWILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-crowdstrike.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-cyberarkpas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-cyberarkpas.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-endpoint.events.json&leave_site_dialog=false&tabs=false)| @@ -67,6 +66,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-cloudwatch](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudwatch.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-aws-dynamodb](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-dynamodb.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-ec2](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ec2.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-iam.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-kms](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-kms.json&leave_site_dialog=false&tabs=false)| @@ -101,7 +101,6 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-defense-evasion](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-defense-evasion.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-discovery](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-discovery.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-domain-generation-algorithm-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-domain-generation-algorithm-detection.json&leave_site_dialog=false&tabs=false)| -|[Elastic-detection-rules-tags-elastic-defend-for-containers](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-defend-for-containers.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-elastic-defend](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-defend.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-elastic-endgame](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-endgame.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-endpoint.json&leave_site_dialog=false&tabs=false)| @@ -142,6 +141,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-persistence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-persistence.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-powershell-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-powershell-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-privilege-escalation](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-privilege-escalation.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-privileged-access-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-privileged-access-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-reconnaissance](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-reconnaissance.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-resource-development](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-resource-development.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-rootkit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-rootkit.json&leave_site_dialog=false&tabs=false)| diff --git a/docs-dev/custom-rules-management.md b/docs-dev/custom-rules-management.md index 1048b68f7ef..c95a103f361 100644 --- a/docs-dev/custom-rules-management.md +++ b/docs-dev/custom-rules-management.md @@ -94,8 +94,10 @@ be set in `_config.yaml` or as the environment variable `DETECTION_RULES_TEST_CO environment variable if both are set. Having both these options allows for configuring testing on prebuilt Elastic rules without specifying a rules _config.yaml. +Some notes: -* Note: If set in this file, the path should be relative to the location of this config. If passed as an environment variable, it should be the full path +* If set in this file, the path should be relative to the location of this config. If passed as an environment variable, it should be the full path +* When using the `--no-tactic-filename` flag for kibana imports and exports, be sure to disable the unit test by using the following line `- tests.test_all_rules.TestRuleFiles.test_rule_file_name_tactic` in your test config file. ### How the config is used and it's designed portability diff --git a/docs-dev/detections-as-code.md b/docs-dev/detections-as-code.md index 59611dcf573..148eab538e5 100644 --- a/docs-dev/detections-as-code.md +++ b/docs-dev/detections-as-code.md @@ -39,7 +39,7 @@ Feature requests for the DaC components that interact with the Elastic Security ## Reference Implementation of DaC Components -DaC is not a single tool. Detection as Code (DaC) is a modern security approach that applies software development best practices to the creation, management, and deployment of security rules. Here is a short summary of several components that extend upon Elastic's rule management capabilities (e.g. query validation, schema validation, unit tests, etc.) provided to help fast track users ability to implement custom DaC implementations in their private environments. If you are new to these concepts, please refer to the [DaC Documentation](https://dac-reference.readthedocs.io/en/latest/), which also provides a quickstart guide and example end-to-end CI/CD workflows. These components are configurable by using the [custom-rules](docs-dev/custom-rules.md) setup. +DaC is not a single tool. Detection as Code (DaC) is a modern security approach that applies software development best practices to the creation, management, and deployment of security rules. Here is a short summary of several components that extend upon Elastic's rule management capabilities (e.g. query validation, schema validation, unit tests, etc.) provided to help fast track users ability to implement custom DaC implementations in their private environments. If you are new to these concepts, please refer to the [DaC Documentation](https://dac-reference.readthedocs.io/en/latest/), which also provides a quickstart guide and example end-to-end CI/CD workflows. These components are configurable by using the [custom-rules](custom-rules-management.md) setup. - Kibana's Rule Versioning Mechanism ([link](https://dac-reference.readthedocs.io/en/latest/internals_of_the_detection_rules_repo.html#option-2-defer-to-elastic-security)) - Local rule management (e.g. autoschema generation, actions and exceptions) ([link](https://dac-reference.readthedocs.io/en/latest/internals_of_the_detection_rules_repo.html#option-1-using-the-built-in-configuration)) diff --git a/docs/docset.yml b/docs/docset.yml new file mode 100644 index 00000000000..79158ad3651 --- /dev/null +++ b/docs/docset.yml @@ -0,0 +1,14 @@ +project: 'detection rules' +cross_links: + - docs-content +exclude: + - '_*.md' + - 'README.md' + +extensions: + - detection-rules + +toc: + - file: index.md + detection_rules: ['../rules', '../rules_building_block'] + diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 00000000000..2f52c979042 --- /dev/null +++ b/docs/index.md @@ -0,0 +1,3 @@ +# Detection rules + +Landing / overview page diff --git a/hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md b/hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md new file mode 100644 index 00000000000..79f5b588b26 --- /dev/null +++ b/hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md @@ -0,0 +1,62 @@ +# Microsoft Entra ID Credentials Added to Rare Service Principal + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers. +- **UUID:** `d2dd0288-0a8c-11f0-b738-f661ea17fbcc` +- **Integration:** [azure](https://docs.elastic.co/integrations/azure) +- **Language:** `[ES|QL]` +- **Source File:** [Microsoft Entra ID Credentials Added to Rare Service Principal](../queries/entra_service_principal_credentials_added_to_rare_app.toml) + +## Query + +```sql +FROM logs-azure.auditlogs* +| WHERE + // filter on Microsoft Entra Audit Logs + // filter for service principal credentials being added + event.dataset == "azure.auditlogs" + and azure.auditlogs.operation_name == "Add service principal credentials" + and event.outcome == "success" +| EVAL + // SLICE n0 of requests values for specific Client App ID + // Cast Client App ID to STRING type + azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING +| WHERE + // REGEX on Client APP ID for UUIDv4 + azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}""" +| EVAL + // BUCKET events weekly + timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp) +| STATS + // Aggregate weekly occurrences by Client App ID, User ID + weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY + azure.auditlogs.properties.additional_details.appId, + azure.auditlogs.properties.initiated_by.user.id +| WHERE weekly_user_app_occurrence_count == 1 +``` + +## Notes + +- This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id` +- Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application. +- The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events. +- The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account. +- Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value. +- Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment. + +## MITRE ATT&CK Techniques + +- [T1098.001](https://attack.mitre.org/techniques/T1098/001) + +## References + +- https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 +- https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/ + +## License + +- `Elastic License v2` diff --git a/hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml b/hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml new file mode 100644 index 00000000000..5a54df91544 --- /dev/null +++ b/hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml @@ -0,0 +1,48 @@ +[hunt] +author = "Elastic" +description = """This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers. """ +integration = ["azure"] +uuid = "d2dd0288-0a8c-11f0-b738-f661ea17fbcc" +name = "Microsoft Entra ID Credentials Added to Rare Service Principal" +language = ["ES|QL"] +license = "Elastic License v2" +notes = [ + "This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id`", + "Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application.", + "The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events.", + "The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account.", + "Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value.", + "Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment." +] +mitre = ['T1098.001'] +references = [ + "https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", + "https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/" +] +query = [ +''' +FROM logs-azure.auditlogs* +| WHERE + // filter on Microsoft Entra Audit Logs + // filter for service principal credentials being added + event.dataset == "azure.auditlogs" + and azure.auditlogs.operation_name == "Add service principal credentials" + and event.outcome == "success" +| EVAL + // SLICE n0 of requests values for specific Client App ID + // Cast Client App ID to STRING type + azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING +| WHERE + // REGEX on Client APP ID for UUIDv4 + azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}""" +| EVAL + // BUCKET events weekly + timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp) +| STATS + // Aggregate weekly occurrences by Client App ID, User ID + weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY + azure.auditlogs.properties.additional_details.appId, + azure.auditlogs.properties.initiated_by.user.id +| WHERE weekly_user_app_occurrence_count == 1 +''' +] \ No newline at end of file diff --git a/hunting/index.md b/hunting/index.md index 1714b29b2c8..eca7a9b0535 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -36,6 +36,7 @@ Here are the queries currently available: - [Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins](./azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md) (ES|QL) - [Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users](./azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md) (ES|QL) - [Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents](./azure/docs/entra_authentication_attempts_behind_rare_user_agents.md) (ES|QL) +- [Microsoft Entra ID Credentials Added to Rare Service Principal](./azure/docs/entra_service_principal_credentials_added_to_rare_app.md) (ES|QL) ## linux diff --git a/hunting/index.yml b/hunting/index.yml index 93903f0d7cb..d5c7fbdc32c 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -687,3 +687,8 @@ azure: mitre: - T1078.004 - T1110.003 + d2dd0288-0a8c-11f0-b738-f661ea17fbcc: + name: Microsoft Entra ID Credentials Added to Rare Service Principal + path: ./azure/queries/entra_service_principal_credentials_added_to_rare_app.toml + mitre: + - T1098.001 diff --git a/lib/kibana/kibana/connector.py b/lib/kibana/kibana/connector.py index 7de201193d3..5c720b698e6 100644 --- a/lib/kibana/kibana/connector.py +++ b/lib/kibana/kibana/connector.py @@ -12,23 +12,30 @@ import uuid from typing import List, Optional, Union -from urllib.parse import urljoin import requests from elasticsearch import Elasticsearch _context = threading.local() -class Kibana(object): +class Kibana: """Wrapper around the Kibana SIEM APIs.""" - CACHED = False - - def __init__(self, cloud_id=None, kibana_url=None, verify=True, elasticsearch=None, space=None): + def __init__(self, cloud_id=None, kibana_url=None, api_key=None, verify=True, elasticsearch=None, space=None): """"Open a session to the platform.""" self.authenticated = False + self.session = requests.Session() self.session.verify = verify + + if api_key: + self.session.headers.update( + { + "kbn-xsrf": "true", + "Authorization": f"ApiKey {api_key}", + } + ) + self.verify = verify self.cloud_id = cloud_id @@ -37,9 +44,6 @@ def __init__(self, cloud_id=None, kibana_url=None, verify=True, elasticsearch=No self.space = space if space and space.lower() != 'default' else None self.status = None - self.provider_name = None - self.provider_type = None - if self.cloud_id: self.cluster_name, cloud_info = self.cloud_id.split(":") self.domain, self.es_uuid, self.kibana_uuid = \ @@ -50,18 +54,24 @@ def __init__(self, cloud_id=None, kibana_url=None, verify=True, elasticsearch=No kibana_url_from_cloud = f"https://{self.kibana_uuid}.{self.domain}:9243" if self.kibana_url and self.kibana_url != kibana_url_from_cloud: - raise ValueError(f'kibana_url provided ({self.kibana_url}) does not match url derived from cloud_id ' - f'{kibana_url_from_cloud}') + raise ValueError( + f'kibana_url provided ({self.kibana_url}) does not match url derived from cloud_id ' + f'{kibana_url_from_cloud}' + ) self.kibana_url = kibana_url_from_cloud - self.elastic_url = f"https://{self.es_uuid}.{self.domain}:9243" - self.provider_name = 'cloud-basic' - self.provider_type = 'basic' - self.session.headers.update({'Content-Type': "application/json", "kbn-xsrf": str(uuid.uuid4())}) self.elasticsearch = elasticsearch + if not self.elasticsearch and self.elastic_url: + self.elasticsearch = Elasticsearch( + hosts=[self.elastic_url], + api_key=api_key, + verify_certs=self.verify, + ) + self.elasticsearch.info() + if not verify: from requests.packages.urllib3.exceptions import \ InsecureRequestWarning @@ -75,7 +85,7 @@ def version(self): return self.status.get("version", {}).get("number") @staticmethod - def ndjson_file_data_prep(lines: List[dict], filename: str) -> (dict, str): + def ndjson_file_data_prep(lines: List[dict], filename: str) -> tuple[dict, str]: """Prepare a request for an ndjson file upload to Kibana.""" data = ('\n'.join(json.dumps(r) for r in lines) + '\n') boundary = '----JustAnotherBoundary' @@ -144,63 +154,6 @@ def delete(self, uri, params=None, error=True, **kwargs): """Perform an HTTP DELETE.""" return self.request('DELETE', uri, params=params, error=error, **kwargs) - def login(self, kibana_username, kibana_password, provider_type=None, provider_name=None): - """Authenticate to Kibana using the API to update our cookies.""" - payload = {'username': kibana_username, 'password': kibana_password} - path = '/internal/security/login' - - try: - self.post(path, data=payload, error=True, verbose=False) - except requests.HTTPError as e: - # 7.10 changed the structure of the auth data - # providers dictated by Kibana configs in: - # https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#authentication-security-settings - # more details: https://discuss.elastic.co/t/kibana-7-10-login-issues/255201/2 - if e.response.status_code == 400 and '[undefined]' in e.response.text: - provider_type = provider_type or self.provider_type or 'basic' - provider_name = provider_name or self.provider_name or 'basic' - - payload = { - 'params': payload, - 'currentURL': '', - 'providerType': provider_type, - 'providerName': provider_name - } - self.post(path, data=payload, error=True) - else: - raise - - # Kibana will authenticate against URLs which contain invalid spaces - if self.space: - self.verify_space(self.space) - - self.authenticated = True - self.status = self.get("/api/status") - - # create ES and force authentication - if self.elasticsearch is None and self.elastic_url is not None: - self.elasticsearch = Elasticsearch(hosts=[self.elastic_url], http_auth=(kibana_username, kibana_password), - verify_certs=self.verify) - self.elasticsearch.info() - - # make chaining easier - return self - - def add_cookie(self, cookie): - """Add cookie to be used for auth (such as from an SSO session).""" - # https://www.elastic.co/guide/en/kibana/7.10/security-settings-kb.html#security-session-and-cookie-settings - self.session.headers['sid'] = cookie - self.session.cookies.set('sid', cookie) - self.status = self.get('/api/status') - self.authenticated = True - - def add_api_key(self, api_key: str) -> bool: - """Add an API key to be used for auth.""" - self.session.headers['Authorization'] = f'ApiKey {api_key}' - self.status = self.get('/api/status') - self.authenticated = True - return bool(self.status) - def logout(self): """Quit the current session.""" try: diff --git a/lib/kibana/pyproject.toml b/lib/kibana/pyproject.toml index 96b5ae0cbe4..a2a9edf34c6 100644 --- a/lib/kibana/pyproject.toml +++ b/lib/kibana/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection-rules-kibana" -version = "0.4.1" +version = "0.4.2" description = "Kibana API utilities for Elastic Detection Rules" license = {text = "Elastic License v2"} keywords = ["Elastic", "Kibana", "Detection Rules", "Security", "Elasticsearch"] diff --git a/pyproject.toml b/pyproject.toml index fb398de18dd..24b7d7d4b5f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.4.22" +version = "1.0.11" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index e0b4e935489..8d556a3e47c 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/12/21" integration = ["endpoint", "windows", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Cookies Theft via Browser Debugging + +Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. + +### Possible investigation steps + +- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. +- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. +- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. +- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. +- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. +- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. + +### False positive analysis + +- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. +- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. +- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. +- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. +- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. +- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. +- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. +- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. +- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" references = [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", @@ -66,41 +99,6 @@ process where event.type in ("start", "process_started", "info") and "--remote-debugging-pipe=*") and process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Cookies Theft via Browser Debugging - -Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. - -### Possible investigation steps - -- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. -- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. -- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. -- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. -- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. -- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. - -### False positive analysis - -- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. -- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. -- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. -- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. -- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. -- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. -- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. -- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. -- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" [[rule.threat]] diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 97e4f3921b8..150a6573e2d 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,39 +15,6 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows. language = "eql" license = "Elastic License v2" name = "WebServer Access Logs Deleted" -risk_score = 47 -rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where event.type == "deletion" and - file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", - "/var/log/apache*/access.log", - "/etc/httpd/logs/access_log", - "/var/log/httpd/access_log", - "/var/www/*/logs/access.log") -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +49,39 @@ Web server access logs are crucial for monitoring and analyzing web traffic, pro - Review and tighten access controls and permissions on log files to ensure only authorized personnel can modify or delete them. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Document the incident, including all actions taken, and update incident response plans to improve future detection and response capabilities.""" +risk_score = 47 +rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where event.type == "deletion" and + file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", + "/var/log/apache*/access.log", + "/etc/httpd/logs/access_log", + "/var/log/httpd/access_log", + "/var/www/*/logs/access.log") +''' [[rule.threat]] diff --git a/rules/cross-platform/execution_potential_widespread_malware_infection.toml b/rules/cross-platform/execution_potential_widespread_malware_infection.toml index 087408b2eb9..baa2d88a944 100644 --- a/rules/cross-platform/execution_potential_widespread_malware_infection.toml +++ b/rules/cross-platform/execution_potential_widespread_malware_infection.toml @@ -1,45 +1,18 @@ [metadata] creation_date = "2024/05/08" maturity = "production" -updated_date = "2025/01/15" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this -to prioritize triage and response, as this can potentially indicate a widespread malware infection. +This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to +prioritize triage and response, as this can potentially indicate a widespread malware infection. """ from = "now-9m" language = "esql" license = "Elastic License v2" name = "Potential Widespread Malware Infection Across Multiple Hosts" -references = [ - "https://github.com/elastic/protections-artifacts/tree/main/yara/rules" -] -risk_score = 73 -rule_id = "28371aa1-14ed-46cf-ab5b-2fc7d1942278" -severity = "high" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "Use Case: Threat Detection", - "Tactic: Execution", - "Rule Type: Higher-Order Rule", - "Resources: Investigation Guide", - "vigilant.disabled" -] -timestamp_override = "event.ingested" -type = "esql" - -query = ''' -from logs-endpoint.alerts-* -| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null -| keep host.id, rule.name, event.code -| stats hosts = count_distinct(host.id) by rule.name, event.code -| where hosts >= 3 -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,6 +48,29 @@ Endpoint security technologies monitor and analyze activities on devices to dete - Restore affected systems from clean backups if the malware has caused significant damage or if the integrity of the system cannot be assured after cleaning. - Monitor network traffic and endpoint activities closely for any signs of persistence or re-infection, using enhanced detection rules and updated threat intelligence feeds. - Escalate the incident to the appropriate internal or external cybersecurity teams if the infection appears to be part of a larger coordinated attack, ensuring that all relevant data and findings are shared for further investigation and response.""" +references = ["https://github.com/elastic/protections-artifacts/tree/main/yara/rules"] +risk_score = 73 +rule_id = "28371aa1-14ed-46cf-ab5b-2fc7d1942278" +severity = "high" +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Threat Detection", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide", + "vigilant.disabled" +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-endpoint.alerts-* +| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null +| keep host.id, rule.name, event.code +| stats hosts = count_distinct(host.id) by rule.name, event.code +| where hosts >= 3 +''' [[rule.threat]] @@ -94,3 +90,4 @@ reference = "https://attack.mitre.org/techniques/T1204/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 17b0f004b8e..ed579049f57 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml index 7635518faaa..f4588bc7f12 100644 --- a/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml +++ b/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -134,12 +132,6 @@ from logs-aws.cloudtrail* | sort unique_api_count desc ''' -[rule.investigation_fields] -field_names = [ - "time_window", - "aws.cloudtrail.user_identity.arn", - "unique_api_count" -] [[rule.threat]] framework = "MITRE ATT&CK" @@ -154,3 +146,6 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.investigation_fields] +field_names = ["time_window", "aws.cloudtrail.user_identity.arn", "unique_api_count"] + diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml new file mode 100644 index 00000000000..7e70a66ba4f --- /dev/null +++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml @@ -0,0 +1,132 @@ +[metadata] +creation_date = "2025/03/13" +integration = ["aws"] +maturity = "production" +updated_date = "2025/03/13" + +[rule] +author = ["Elastic"] +description = """ +Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may +use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects +unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags +when this behavior is observed by the `aws.cloudtrail.user_identity.arn` for the first time in the last 14 days. +""" +false_positives = [ + """ + Legitimate users may scan DynamoDB tables for various reasons, such as data analysis or application functionality. + Ensure that the user has the necessary permissions and that the Scan operation is authorized before taking action. + """, +] +from = "now-9m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS DynamoDB Scan by Unusual User" +note = """## Triage and analysis + +### Investigating AWS DynamoDB Scan by Unusual User + +This rule identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the Scan action in CloudTrail logs. + +This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 14 days. + +#### Possible Investigation Steps + +- Identify the Actor: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the subscription. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user. +- Review the Source IP: Check the `source.address` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access. +- Analyze the Request Parameters: Examine the `aws.cloudtrail.request_parameters` field to understand the details of the Scan request. Look for any unusual parameters or patterns that may indicate malicious intent. This also details the DynamoDB table being scanned. +- Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key is associated with a legitimate user or if it has been compromised. + + +### False Positive Analysis + +- Historical User Actions: If the user has a history of scanning DynamoDB tables for legitimate purposes, this may not be a false positive. Review the user's activity logs to determine if this behavior is consistent with their normal actions. +- Automated Processes: Some automated processes or applications may perform scans on DynamoDB tables as part of their functionality. If the user is associated with such a process, this may not be a false positive. + +### Response and Remediation + +- Immediate Review and Reversal: If the Scan action is determined to be unauthorized, immediately revoke the user's access to the DynamoDB table and any associated resources. This may involve disabling the user's account or removing their permissions. +- Investigate Compromise: If the Scan action is determined to be malicious, investigate the source of the request and any potential compromise of the user's account. This may involve reviewing access logs, resetting passwords, and enabling multi-factor authentication (MFA) for the affected user. If export options were used with the CLI or SDK, they may have been saved locally or to a remote location. +- Review IAM Policies: Review the IAM policies associated with the user to ensure that they have the appropriate permissions for their role. If necessary, update the policies to restrict access to sensitive resources. +- Monitor for Future Activity: Continue to monitor the user's activity for any further suspicious behavior. Set up additional alerts or logging to detect any future unauthorized access attempts. + +### Additional Information + +For further guidance on managing and securing SNS topics in AWS environments, refer to the [AWS SNS documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security. +""" +references = ["https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Scan.html"] +risk_score = 21 +rule_id = "96b2a03e-003b-11f0-8541-f661ea17fbcd" +setup = "DynamoDB data events must be enabled in CloudTrail to capture the Scan action. Ensure that the AWS CloudTrail service is configured to log data events for DynamoDB tables." +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS DynamoDB", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Exfiltration", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "aws.cloudtrail" + and event.provider: "dynamodb.amazonaws.com" + and event.action: "Scan" + and event.outcome: "success" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "user_agent.original", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.flattened.request_parameters.tableName", + "aws.cloudtrail.flattened.response_elements.subscriptionArn", + "aws.cloudtrail.request_parameters", +] + +[rule.new_terms] +field = "new_terms_fields" +value = ["aws.cloudtrail.user_identity.arn"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" + + diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml new file mode 100644 index 00000000000..e13b71a35f0 --- /dev/null +++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml @@ -0,0 +1,123 @@ +[metadata] +creation_date = "2025/03/13" +integration = ["aws"] +maturity = "production" +updated_date = "2025/03/13" + +[rule] +author = ["Elastic"] +description = """ +Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to +collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by +monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when +this behavior is observed by the `aws.cloudtrail.user_identity.arn` for the first time in the last 14 days. +""" +false_positives = [ + """ + Legitimate users may export DynamoDB tables for various reasons, such as data analysis or backup purposes. Ensure + that the user has the necessary permissions and that the ExportTableToPointInTime operation is authorized before + taking action. + """, +] +from = "now-9m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS DynamoDB Table Exported to S3" +note = """ ## Triage and analysis + +### Investigating AWS DynamoDB Table Exported to S3 + +This rule identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. + +This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 14 days. + +#### Possible Investigation Steps +- Identify the Actor: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the export. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user. +- Review the Source IP: Check the `source.address` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access. +- Analyze the Request Parameters: Examine the `aws.cloudtrail.request_parameters` field to understand the details of the ExportTableToPointInTime request. Look for any unusual parameters or patterns that may indicate malicious intent. This also details the DynamoDB table being exported. +- Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key is associated with a legitimate user or if it has been compromised. + +### False Positive Analysis +- Historical User Actions: If the user has a history of exporting DynamoDB tables for legitimate purposes, this may not be a false positive. Review the user's activity logs to determine if this behavior is consistent with their normal actions. +- Automated Processes: Some automated processes or applications may perform exports on DynamoDB tables as part of their functionality. If the user is associated with such a process, this may not be a false positive. + +### Response and Remediation +- Immediate Review and Reversal: If the ExportTableToPointInTime action is determined to be unauthorized, immediately revoke the user's access to the DynamoDB table and any associated resources. This may involve disabling the user's account or removing their permissions. +- Investigate Compromise: If the ExportTableToPointInTime action is determined to be malicious, investigate the source and destination of the request and any potential compromise of the user's account. If the destination S3 bucket is not known, it may be a sign of data exfiltration and may require incident response. +- Review IAM Policies: Review the IAM policies associated with the user to ensure that they have the appropriate permissions for their role. If necessary, update the policies to restrict access to sensitive resources. +- Monitor for Future Activity: Continue to monitor the user's activity for any further suspicious behavior. Set up additional alerts or logging to detect any future unauthorized access attempts. + +### Additional Information + +For further guidance on managing and securing SNS topics in AWS environments, refer to the [AWS SNS documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security. +""" +references = ["https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExportTableToPointInTime.html"] +risk_score = 21 +rule_id = "e8ea6f58-0040-11f0-a243-f661ea17fbcd" +setup = "DynamoDB data events must be enabled in CloudTrail to capture the ExportTableToPointInTime actions. Ensure that the AWS CloudTrail service is configured to log data events for DynamoDB tables." +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS DynamoDB", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Exfiltration", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "aws.cloudtrail" + and event.provider: "dynamodb.amazonaws.com" + and event.action: "ExportTableToPointInTime" + and aws.cloudtrail.flattened.request_parameters.dryRun: false +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "user_agent.original", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.flattened.request_parameters.clientToken", + "aws.cloudtrail.flattened.response_elements.s3Bucket", + "aws.cloudtrail.flattened.response_elements.tableArn", + "aws.cloudtrail.request_parameters", +] + +[rule.new_terms] +field = "new_terms_fields" +value = ["aws.cloudtrail.user_identity.arn"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" + + diff --git a/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml b/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml index dc0a3ffc95b..54a349d5a62 100644 --- a/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml @@ -2,16 +2,14 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.13.0" -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, -which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the -snapshot into an environment they control, to access the data. +Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied +into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in +order to copy the snapshot into an environment they control, to access the data. """ false_positives = [ """ @@ -23,7 +21,6 @@ language = "esql" license = "Elastic License v2" name = "AWS EC2 EBS Snapshot Shared or Made Public" note = """ - ## Triage and analysis ### Investigating AWS EC2 EBS Snapshot Shared or Made Public @@ -64,7 +61,7 @@ references = [ "https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump", - "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/" + "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/", ] risk_score = 21 rule_id = "4182e486-fc61-11ee-a05d-f661ea17fbce" diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 37d950ef7f6..45a051a8d72 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2024/05/01" maturity = "production" -updated_date = "2024/11/07" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -69,7 +67,7 @@ Attackers may attempt to enumerate names until a valid bucket is discovered and """ references = [ "https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1", - "https://docs.aws.amazon.com/cli/latest/reference/s3api/" + "https://docs.aws.amazon.com/cli/latest/reference/s3api/", ] risk_score = 21 rule_id = "5f0234fd-7f21-42af-8391-511d5fd11d5c" @@ -81,7 +79,7 @@ tags = [ "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Log Auditing", - "Tactic: Impact" + "Tactic: Impact", ] timestamp_override = "event.ingested" type = "esql" @@ -97,51 +95,44 @@ from logs-aws.cloudtrail* | where failed_requests > 40 ''' -[rule.investigation_fields] -field_names = [ - "source.address", - "tls.client.server_name", - "cloud.account.id", - "failed_requests" -] [[rule.threat]] framework = "MITRE ATT&CK" - - [rule.threat.tactic] - id = "TA0040" - name = "Impact" - reference = "https://attack.mitre.org/tactics/TA0040/" - - [[rule.threat.technique]] - id = "T1657" - name = "Financial Theft" - reference = "https://attack.mitre.org/techniques/T1657/" +[[rule.threat.technique]] +id = "T1657" +name = "Financial Theft" +reference = "https://attack.mitre.org/techniques/T1657/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" - - [rule.threat.tactic] - id = "TA0007" - name = "Discovery" - reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat.technique]] - id = "T1580" - name = "Cloud Infrastructure Discovery" - reference = "https://attack.mitre.org/techniques/T1580/" +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + - [rule.threat.tactic] - id = "TA0009" - name = "Collection" - reference = "https://attack.mitre.org/tactics/TA0009/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[rule.investigation_fields] +field_names = ["source.address", "tls.client.server_name", "cloud.account.id", "failed_requests"] - [[rule.threat.technique]] - id = "T1530" - name = "Data from Cloud Storage" - reference = "https://attack.mitre.org/techniques/T1530/" diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml index 7ccae3829bd..c1ceaf67808 100644 --- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml +++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml @@ -2,16 +2,14 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call -with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to -a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims. +with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured +S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims. """ false_positives = [ """ @@ -24,7 +22,6 @@ language = "esql" license = "Elastic License v2" name = "Potential AWS S3 Bucket Ransomware Note Uploaded" note = """ - ## Triage and analysis ### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml index 00f5310dde8..ba1f3bf40a3 100644 --- a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +++ b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml @@ -2,18 +2,20 @@ creation_date = "2024/07/02" integration = ["aws"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data. +Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. +Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS +key to deny their victims access to their own data. """ false_positives = [ """ - Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action. + Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an + account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before + taking action. """, ] from = "now-9m" @@ -21,7 +23,6 @@ language = "esql" license = "Elastic License v2" name = "AWS S3 Object Encryption Using External KMS Key" note = """ - ## Triage and analysis ### Investigating AWS S3 Object Encryption Using External KMS Key @@ -101,6 +102,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index | keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml b/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml index 40b20fe314e..946da73f024 100644 --- a/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml +++ b/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2024/08/19" -integration = ['aws'] +integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,35 +16,6 @@ from = "now-9m" language = "esql" license = "Elastic License v2" name = "AWS Signin Single Factor Console Login with Federated User" -references = [ - "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/" -] -risk_score = 47 -rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce" -severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Amazon Web Services", - "Data Source: AWS", - "Data Source: AWS Sign-In", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "esql" - -query = ''' -from logs-aws.cloudtrail-* metadata _id, _version, _index -| where - event.provider == "signin.amazonaws.com" - and event.action == "GetSigninToken" - and aws.cloudtrail.event_type == "AwsConsoleSignIn" - and aws.cloudtrail.user_identity.type == "FederatedUser" -| dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}" -| where mfa_used == "No" -| keep @timestamp, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +51,34 @@ Federated users in AWS are granted temporary credentials to access resources, of - Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege. - Escalate the incident to the incident response team if any malicious activities are detected, and initiate a full security investigation to assess the impact and scope of the breach. - Monitor AWS CloudTrail and other relevant logs closely for any further unauthorized access attempts or anomalies related to federated user accounts.""" +references = ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"] +risk_score = 47 +rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Amazon Web Services", + "Data Source: AWS", + "Data Source: AWS Sign-In", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail-* metadata _id, _version, _index +| where + event.provider == "signin.amazonaws.com" + and event.action == "GetSigninToken" + and aws.cloudtrail.event_type == "AwsConsoleSignIn" + and aws.cloudtrail.user_identity.type == "FederatedUser" +| dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}" +| where mfa_used == "No" +| keep @timestamp, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type +''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -95,7 +92,9 @@ name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml index bb9ebe52ce5..a7d7733a8b6 100644 --- a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -2,9 +2,7 @@ creation_date = "2024/12/02" integration = ["aws"] maturity = "production" -min_stack_comments = "ES|QL available in technical preview." -min_stack_version = "8.13.0" -updated_date = "2025/01/10" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 864cfdcd788..e790cc07d7c 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,21 +2,19 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2025/02/03" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by -creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation -to create new programmatic access keys for another IAM user. +An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a +new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to +create new programmatic access keys for another IAM user. """ false_positives = [ """ - While this can be normal behavior, it should be investigated to ensure validity. - Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user. + While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity + should be using the IAM `CreateAccessKey` for the targeted user. """, ] from = "now-6m" @@ -119,23 +117,6 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index aws.cloudtrail.user_identity.type ''' -[rule.investigation_fields] -field_names = [ - "@timestamp", - "user.name", - "source.address", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "user_agent.original", - "user.target.name", - "event.action", - "event.outcome", - "cloud.region", - "event.provider", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements", -] - [[rule.threat]] framework = "MITRE ATT&CK" @@ -148,11 +129,12 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -164,8 +146,27 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "user.target.name", + "event.action", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] + diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 360cee3a135..2af357fbb81 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,23 +2,21 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2025/02/03" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13." -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by -attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of -the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy -to an existing IAM user group. +An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching +additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM +`AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an +existing IAM user group. """ false_positives = [ """ - While this can be normal behavior, it should be investigated to ensure validity. - Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation - to attach the `AdministratorAccess` policy to the user group. + While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity + should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user + group. """, ] from = "now-6m" @@ -119,11 +117,12 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -135,6 +134,8 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index 81f228df112..3c8939f17d1 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,22 +2,20 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2025/02/03" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13." -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by -attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation -to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role. +An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching +additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to +attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role. """ false_positives = [ """ - While this can be normal behavior, it should be investigated to ensure validity. - Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation - to attach the `AdministratorAccess` policy to the target role. + While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity + should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target + role. """, ] from = "now-6m" @@ -118,11 +116,12 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -134,6 +133,8 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 32cc9331aca..3f6e64b95b6 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,22 +2,20 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2025/02/03" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13." -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by -attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation +An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching +additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user. """ false_positives = [ """ - While this can be normal behavior, it should be investigated to ensure validity. - Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation - to attach the `AdministratorAccess` policy to the target user. + While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity + should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target + user. """, ] from = "now-6m" @@ -119,22 +117,6 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index source.address ''' -[rule.investigation_fields] -field_names = [ - "@timestamp", - "user.name", - "source.address", - "aws.cloudtrail.user_identity.arn", - "user_agent.original", - "target.userName", - "event.action", - "policyName", - "event.outcome", - "cloud.region", - "event.provider", - "aws.cloudtrail.request_parameters" -] - [[rule.threat]] framework = "MITRE ATT&CK" @@ -147,11 +129,12 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -163,8 +146,26 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "user_agent.original", + "target.userName", + "event.action", + "policyName", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters", +] + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml index 97d37e0f96e..ea726f44005 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml @@ -1,31 +1,24 @@ [metadata] creation_date = "2024/11/25" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple -consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration -in order to access sensitive information, or possibly exploit a vulnerability in the system. +Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same +account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass +security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive +information, or possibly exploit a vulnerability in the system. """ -false_positives = ["Users testing new model deployments or updated compliance policies without Amazon Bedrock guardrails."] +false_positives = [ + "Users testing new model deployments or updated compliance policies without Amazon Bedrock guardrails.", +] from = "now-60m" interval = "10m" language = "esql" license = "Elastic License v2" name = "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0051", - "https://atlas.mitre.org/techniques/AML.T0054", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 47 -rule_id = "f2c653b7-7daf-4774-86f2-34cdbd1fc528" note = """## Triage and analysis ### Investigating AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session @@ -58,6 +51,14 @@ Guardrails help manage risks associated with AI usage and ensure the output alig - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 47 +rule_id = "f2c653b7-7daf-4774-86f2-34cdbd1fc528" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -87,3 +88,4 @@ from logs-aws_bedrock.invocation-* | where model_invocation_without_guardrails > 5 | sort model_invocation_without_guardrails desc ''' + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml index e740725fd7a..11dcb4124e3 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2024/05/02" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,14 +16,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0051", - "https://atlas.mitre.org/techniques/AML.T0054", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 47 -rule_id = "0cd2f3e6-41da-40e6-b28b-466f688f00a6" note = """## Triage and analysis ### Investigating AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session @@ -62,6 +52,14 @@ and they can establish thresholds for harmful content categories, including hate - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 47 +rule_id = "0cd2f3e6-41da-40e6-b28b-466f688f00a6" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -89,3 +87,4 @@ from logs-aws_bedrock.invocation-* | where violations > 1 | sort violations desc ''' + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml index 76b8d2869cb..9d28ad526c5 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2024/05/02" maturity = "production" -updated_date = "2027/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,14 +16,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0051", - "https://atlas.mitre.org/techniques/AML.T0054", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 21 -rule_id = "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c" note = """## Triage and analysis ### Investigating AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request @@ -62,6 +52,14 @@ and they can establish thresholds for harmful content categories, including hate - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 21 +rule_id = "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -90,3 +88,4 @@ from logs-aws_bedrock.invocation-* | stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id | sort total_unique_request_violations desc ''' + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml index 4d4d1e69729..c3cfe44e0e3 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2024/05/05" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Detects repeated high-confidence 'BLOCKED' actions coupled with specific 'Content Filter' policy violation having codes such as 'MISCONDUCT', -'HATE', 'SEXUAL', INSULTS', 'PROMPT_ATTACK', 'VIOLENCE' indicating persistent misuse or attempts to probe the model's ethical boundaries. +Detects repeated high-confidence 'BLOCKED' actions coupled with specific 'Content Filter' policy violation having codes +such as 'MISCONDUCT', 'HATE', 'SEXUAL', INSULTS', 'PROMPT_ATTACK', 'VIOLENCE' indicating persistent misuse or attempts +to probe the model's ethical boundaries. """ false_positives = ["New model deployments.", "Testing updates to compliance policies."] from = "now-60m" @@ -17,14 +16,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Unusual High Confidence Content Filter Blocks Detected" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0051", - "https://atlas.mitre.org/techniques/AML.T0054", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 47 -rule_id = "4f855297-c8e0-4097-9d97-d653f7e471c4" note = """## Triage and analysis ### Investigating Unusual High Confidence Content Filter Blocks Detected @@ -60,6 +51,14 @@ to prevent the model from generating content on specific, undesired subjects, an - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 47 +rule_id = "4f855297-c8e0-4097-9d97-d653f7e471c4" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -93,3 +92,4 @@ from logs-aws_bedrock.invocation-* | WHERE violation_count > 5 | SORT violation_count DESC ''' + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml index 16f8a74bde9..e2d5e0deda7 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml @@ -1,16 +1,15 @@ [metadata] creation_date = "2024/05/04" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive -large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or -causing service disruptions. +Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high +input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to +overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing +service disruptions. """ false_positives = ["Authorized heavy usage of the system that is business justified and monitored."] from = "now-60m" @@ -18,13 +17,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Potential Abuse of Resources by High Token Count and Large Response Sizes" -references = [ - "https://atlas.mitre.org/techniques/AML.T0051", - "https://owasp.org/www-project-top-10-for-large-language-model-applications/", - "https://www.elastic.co/security-labs/elastic-advances-llm-security", -] -risk_score = 47 -rule_id = "b1773d05-f349-45fb-9850-287b8f92f02d" note = """## Triage and analysis ### Investigating Potential Abuse of Resources by High Token Count and Large Response Sizes @@ -59,6 +51,13 @@ Bedrock offers a variety of pretrained models from Amazon (such as the Titan ser - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://atlas.mitre.org/techniques/AML.T0051", + "https://owasp.org/www-project-top-10-for-large-language-model-applications/", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 47 +rule_id = "b1773d05-f349-45fb-9850-287b8f92f02d" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -74,7 +73,7 @@ tags = [ "Use Case: Potential Overload", "Use Case: Resource Exhaustion", "Mitre Atlas: LLM04", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" @@ -92,3 +91,4 @@ from logs-aws_bedrock.invocation-* | where risk_factor > 10 | sort risk_factor desc ''' + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml index 56da20720ea..631b76a1e44 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2024/05/02" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,14 +16,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0015", - "https://atlas.mitre.org/techniques/AML.T0034", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 73 -rule_id = "17261da3-a6d0-463c-aac8-ea1718afcd20" note = """## Triage and analysis ### Investigating AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User @@ -58,6 +48,14 @@ Bedrock offers a variety of pretrained models from Amazon (such as the Titan ser - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0015", + "https://atlas.mitre.org/techniques/AML.T0034", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 73 +rule_id = "17261da3-a6d0-463c-aac8-ea1718afcd20" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -86,10 +84,8 @@ from logs-aws_bedrock.invocation-* | sort total_denials desc ''' + + [rule.investigation_fields] -field_names = [ - "user.id", - "cloud.account.id", - "gen_ai.request.model.id", - "total_denials" -] +field_names = ["user.id", "cloud.account.id", "gen_ai.request.model.id", "total_denials"] + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml index a2d25204e98..8d521be1e61 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml @@ -1,15 +1,13 @@ [metadata] creation_date = "2024/11/20" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'sensitive_information_policy', -indicating persistent misuse or attempts to probe the model's denied topics. +Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as +'sensitive_information_policy', indicating persistent misuse or attempts to probe the model's denied topics. """ false_positives = ["New model deployments.", "Testing updates to compliance policies."] from = "now-60m" @@ -17,14 +15,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Unusual High Denied Sensitive Information Policy Blocks Detected" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0051", - "https://atlas.mitre.org/techniques/AML.T0054", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 47 -rule_id = "0e1af929-42ed-4262-a846-55a7c54e7c84" note = """## Triage and analysis ### Investigating Unusual High Denied Sensitive Information Policy Blocks Detected @@ -60,6 +50,14 @@ and they can establish thresholds for harmful content categories. - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 47 +rule_id = "0e1af929-42ed-4262-a846-55a7c54e7c84" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -88,3 +86,4 @@ from logs-aws_bedrock.invocation-* | where sensitive_information_block > 5 | sort sensitive_information_block desc ''' + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml index 362f78738d8..e5674aaf888 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2024/11/20" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,14 +15,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Unusual High Denied Topic Blocks Detected" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0051", - "https://atlas.mitre.org/techniques/AML.T0054", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 47 -rule_id = "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73" note = """## Triage and analysis ### Investigating Unusual High Denied Topic Blocks Detected @@ -60,6 +50,14 @@ and they can establish thresholds for harmful content categories, including hate - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 47 +rule_id = "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -88,3 +86,4 @@ from logs-aws_bedrock.invocation-* | where denied_topics > 5 | sort denied_topics desc ''' + diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml index f7d7e436e95..5839ffdcad4 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml @@ -2,18 +2,16 @@ creation_date = "2024/09/11" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or -InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. -These errors also occur when you use an inference parameter for one model with a model that doesn't have the same API parameter. -This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring -exhorbitant costs. +Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the +InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or +corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't +have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an +impact on the environment by incurring exhorbitant costs. """ false_positives = ["Legitimate misunderstanding by users on accessing the bedrock models."] from = "now-60m" @@ -21,14 +19,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User" -references = [ - "https://atlas.mitre.org/techniques/AML.T0015", - "https://atlas.mitre.org/techniques/AML.T0034", - "https://atlas.mitre.org/techniques/AML.T0046", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 73 -rule_id = "725a048a-88c5-4fc7-8677-a44fc0031822" note = """## Triage and analysis ### Investigating AWS Bedrock Detected Multiple Validation Exception Errors by a Single User @@ -62,6 +52,14 @@ Bedrock offers a variety of pretrained models from Amazon (such as the Titan ser - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://atlas.mitre.org/techniques/AML.T0015", + "https://atlas.mitre.org/techniques/AML.T0034", + "https://atlas.mitre.org/techniques/AML.T0046", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 73 +rule_id = "725a048a-88c5-4fc7-8677-a44fc0031822" setup = """## Setup This rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation: @@ -94,11 +92,8 @@ from logs-aws_bedrock.invocation-* | where total_denials > 3 ''' + + [rule.investigation_fields] -field_names = [ - "target_time_window", - "user.id", - "cloud.account.id", - "total_denials" +field_names = ["target_time_window", "user.id", "cloud.account.id", "total_denials"] -] diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml index e0a4457a13d..ad942edf801 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2024/11/20" maturity = "production" -updated_date = "2025/01/17" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,14 +15,6 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Unusual High Word Policy Blocks Detected" -references = [ - "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", - "https://atlas.mitre.org/techniques/AML.T0051", - "https://atlas.mitre.org/techniques/AML.T0054", - "https://www.elastic.co/security-labs/elastic-advances-llm-security" -] -risk_score = 47 -rule_id = "3216949c-9300-4c53-b57a-221e364c6457" note = """## Triage and analysis ### Investigating Unusual High Word Policy Blocks Detected @@ -60,6 +50,14 @@ and they can establish thresholds for harmful content categories, including hate - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", +] +risk_score = 47 +rule_id = "3216949c-9300-4c53-b57a-221e364c6457" setup = """## Setup This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: @@ -88,3 +86,4 @@ from logs-aws_bedrock.invocation-* | where profanity_words > 5 | sort profanity_words desc ''' + diff --git a/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml index 433effe6628..64c8660b6c6 100644 --- a/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml @@ -2,9 +2,7 @@ creation_date = "2024/12/11" integration = ["azure"] maturity = "production" -min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/credential_access_entra_password_spraying_non_interactive_sfa.toml b/rules/integrations/azure/credential_access_entra_password_spraying_non_interactive_sfa.toml index a22123a9d77..492016712a2 100644 --- a/rules/integrations/azure/credential_access_entra_password_spraying_non_interactive_sfa.toml +++ b/rules/integrations/azure/credential_access_entra_password_spraying_non_interactive_sfa.toml @@ -2,9 +2,7 @@ creation_date = "2025/03/07" integration = ["azure"] maturity = "production" -min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." -min_stack_version = "8.13.0" -updated_date = "2025/03/07" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -75,9 +73,7 @@ This rule identifies repeated failed authentication attempts using non-interacti - Regularly audit authentication logs in `azure.signinlogs` to detect abnormal login behavior and ensure early detection of potential attacks. - Regularly rotate client credentials and secrets for applications using non-interactive authentication to reduce the risk of credential theft. """ -references = [ - "https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf" -] +references = ["https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf"] risk_score = 47 rule_id = "cca64114-fb8b-11ef-86e2-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml index 7e451f3a75d..dd16980f85b 100644 --- a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/06" integration = ["azure"] maturity = "production" -min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,8 +19,8 @@ false_positives = [ """, ] from = "now-60m" -language = "esql" interval = "10m" +language = "esql" license = "Elastic License v2" name = "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts" note = """## Triage and analysis @@ -64,7 +62,7 @@ Azure Entra ID, integral to Microsoft 365, manages user identities and access. A This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources.""" references = [ "https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying", - "https://github.com/0xZDH/o365spray" + "https://github.com/0xZDH/o365spray", ] risk_score = 47 rule_id = "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc" diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml index 1f6c63cef5c..ea4e11128c2 100644 --- a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml +++ b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml @@ -2,17 +2,15 @@ creation_date = "2024/09/06" integration = ["azure"] maturity = "production" -min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed -interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user -accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or -Teams. +interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to +brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, +SharePoint, or Teams. """ false_positives = [ """ @@ -21,8 +19,8 @@ false_positives = [ """, ] from = "now-30m" -language = "esql" interval = "10m" +language = "esql" license = "Elastic License v2" name = "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source" note = """## Triage and analysis @@ -64,7 +62,7 @@ Azure Entra ID, integral to Microsoft 365, manages identity and access, ensuring This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources.""" references = [ "https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying", - "https://github.com/0xZDH/o365spray" + "https://github.com/0xZDH/o365spray", ] risk_score = 47 rule_id = "c6655282-6c79-11ef-bbb5-f661ea17fbcc" diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml index 0cfd973a7e2..e933aafc5ea 100644 --- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2025/02/18" +updated_date = "2025/02/21" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -19,8 +19,6 @@ license = "Elastic License v2" name = "First Occurrence of Entra ID Auth via DeviceCode Protocol" note = """## Triage and analysis -## Triage and Analysis - ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access. diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml deleted file mode 100644 index a963a57337c..00000000000 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ /dev/null @@ -1,92 +0,0 @@ -[metadata] -creation_date = "2021/05/05" -integration = ["azure"] -maturity = "production" -updated_date = "2025/01/15" - -[rule] -author = ["Elastic", "Austin Songer"] -description = """ -Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be -added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with -granted permissions will allow the attacker to access data that is normally protected by MFA requirements. -""" -false_positives = [ - """ - Service principal credential additions may be done by a system or network administrator. Verify whether the - username, hostname, and/or resource name should be making changes in your environment. Credential additions from - unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted - from the rule. - """, -] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] -interval = "10m" -language = "kuery" -license = "Elastic License v2" -name = "Azure Service Principal Credentials Added" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Azure Service Principal Credentials Added - -Azure Service Principals are identities used by applications or services to access Azure resources securely. They are typically granted specific permissions, and credentials are rarely updated. Adversaries may exploit this by adding unauthorized credentials, gaining access to sensitive data without triggering MFA. The detection rule monitors audit logs for successful additions of service principal credentials, flagging potential unauthorized access attempts. - -### Possible investigation steps - -- Review the Azure audit logs to identify the specific service principal for which credentials were added, focusing on entries with the operation name "Add service principal credentials" and a successful outcome. -- Determine the identity of the user or application that performed the credential addition by examining the associated user or application ID in the audit log entry. -- Investigate the permissions and roles assigned to the affected service principal to assess the potential impact of unauthorized access. -- Check for any recent changes or unusual activity associated with the service principal, such as modifications to permissions or unexpected resource access patterns. -- Correlate the event with other security logs and alerts to identify any related suspicious activities or potential indicators of compromise within the environment. -- Contact the owner or responsible team for the service principal to verify if the credential addition was authorized and legitimate. - -### False positive analysis - -- Routine credential updates for service principals used in automated deployment processes can trigger alerts. To manage this, identify and document these processes, then create exceptions for known service principals involved in regular updates. -- Credential additions by authorized IT personnel during scheduled maintenance or upgrades may be flagged. Implement a change management process to log and verify these activities, allowing you to exclude them from triggering alerts. -- Integration of new third-party applications that require service principal credentials might cause false positives. Maintain an inventory of approved third-party integrations and exclude their credential additions from monitoring. -- Development and testing environments often see frequent credential changes. Segregate these environments from production in your monitoring setup to reduce unnecessary alerts. -- Credential rotations as part of security best practices can be mistaken for unauthorized additions. Establish a schedule for credential rotations and configure your monitoring to recognize these as legitimate activities. - -### Response and remediation - -- Immediately revoke the newly added credentials for the affected Azure Service Principal to prevent unauthorized access. -- Conduct a thorough review of the audit logs to identify any unauthorized activities performed using the compromised Service Principal credentials. -- Reset and update the credentials for the affected Service Principal, ensuring they are stored securely and access is restricted to authorized personnel only. -- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized credential addition and any potential data access. -- Implement additional monitoring on the affected Service Principal and related resources to detect any further suspicious activities. -- Review and tighten the permissions granted to the Service Principal to ensure they follow the principle of least privilege. -- Consider enabling conditional access policies or additional security measures, such as IP whitelisting, to enhance protection against similar threats in the future. - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"] -risk_score = 47 -rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" -severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Impact", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1496" -name = "Resource Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/" - - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index 36052a03911..7436a8d4318 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -2,13 +2,15 @@ creation_date = "2020/08/12" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/24" [rule] author = ["Austin Songer"] description = """ Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. + +**Deprecated Notice** - This rule has been deprecated in favor of other rules that provide more contextual threat behavior for Azure Virtual Network. """ false_positives = [ """ @@ -22,13 +24,15 @@ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" -name = "Azure Virtual Network Device Modified or Deleted" +name = "Deprecated - Azure Virtual Network Device Modified or Deleted" note = """## Triage and analysis +**Deprecated Notice** - This rule has been deprecated in favor of other rules that provide more contextual threat behavior for Azure Virtual Network. + > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Virtual Network Device Modified or Deleted +### Investigating Deprecated - Azure Virtual Network Device Modified or Deleted Azure virtual network devices, such as network interfaces, virtual hubs, and routers, are crucial for managing network traffic and connectivity in cloud environments. Adversaries may target these devices to disrupt services or reroute traffic for malicious purposes. The detection rule monitors specific Azure activity logs for operations indicating modifications or deletions of these devices, helping identify potential unauthorized changes that could signify an attack. diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml deleted file mode 100644 index c29f64f1436..00000000000 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ /dev/null @@ -1,128 +0,0 @@ -[metadata] -creation_date = "2020/09/01" -integration = ["azure", "o365"] -maturity = "production" -updated_date = "2024/12/05" - -[rule] -author = ["Elastic"] -description = """ -Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide -permissions to an application. An adversary may create an Azure-registered application that requests access to data such -as contact information, email, or documents. -""" -from = "now-25m" -index = ["filebeat-*", "logs-azure*", "logs-o365*"] -language = "kuery" -license = "Elastic License v2" -name = "Possible Consent Grant Attack via Azure-Registered Application" -note = """## Triage and analysis - -### Investigating Possible Consent Grant Attack via Azure-Registered Application - -In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization. - -Official Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants). - -#### Possible investigation steps - -- From the Azure AD portal, Review the application that was granted permissions: - - Click on the `Review permissions` button on the `Permissions` blade of the application. - - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky. - - Apps that require high privileges or admin consent are more likely to be risky. -- Investigate the app and the publisher. The following characteristics can indicate suspicious apps: - - A low number of downloads. - - Low rating or score or bad comments. - - Apps with a suspicious publisher or website. - - Apps whose last update is not recent. This might indicate an app that is no longer supported. -- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected. - -### False positive analysis - -- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access. - -### Response and remediation - -- Initiate the incident response process based on the outcome of the triage. -- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: - - Identify the account role in the cloud environment. - - Assess the criticality of affected services and servers. - - Work with your IT team to identify and minimize the impact on users. - - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. - - Identify any regulatory or legal ramifications related to this activity. -- Disable the malicious application to stop user access and the application access to your data. -- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task. -- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task. -- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task. -- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft. -- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. -- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook. -- Disable the permission for a user to set consent permission on their behalf. - - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. -- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", - "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", - "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps", -] -risk_score = 47 -rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" -severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access", - "vigilant.tuned", - "vigilant.tuned_date.02-19-25", -] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and - ( - azure.activitylogs.operation_name:"Consent to application" or - azure.auditlogs.operation_name:"Consent to application" or - event.action:"Consent to application." - ) and - event.outcome:(Success or success) -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml new file mode 100644 index 00000000000..9ef4177c59b --- /dev/null +++ b/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml @@ -0,0 +1,145 @@ +[metadata] +creation_date = "2020/09/01" +integration = ["azure"] +maturity = "production" +updated_date = "2025/03/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies an illicit consent grant request on-behalf-of a registered Entra ID application. Adversaries may create and +register an application in Microsoft Entra ID for the purpose of requesting user consent to access resources. This is +accomplished by tricking a user into granting consent to the application, typically via a pre-made phishing URL. This +establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user. +""" +from = "now-9m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Microsoft Entra ID Illicit Consent Grant via Registered Application" +note = """## Triage and analysis + +### Investigating Microsoft Entra ID Illicit Consent Grant via Registered Application + +Adversaries may register a malicious application in Microsoft Entra ID and trick users into granting excessive permissions via OAuth consent. These applications can access sensitive data—such as mail, profiles, or files—on behalf of the user once consent is granted. This is commonly delivered via spearphishing links that prompt users to approve permissions for seemingly legitimate applications. + +This rule identifies a new consent grant event based on Azure audit logs where the application was granted access with potentially risky scopes, such as offline_access, Mail.Read, or User.Read, and may include admin consent or tenant-wide delegation. + +This is a New Terms rule that will only trigger if the user and client ID have not been seen doing this activity in the last 14 days. + +#### Possible investigation steps + +- Review `azure.auditlogs.properties.additional_details.value` to identify the AppId and User-Agent values to determine which application was granted access and how the request was initiated. Pivot on the AppId in the Azure portal under Enterprise Applications to investigate further. +- Review `azure.auditlogs.properties.initiated_by.user.userPrincipalName` to identify the user who approved the application. Investigate their recent activity for signs of phishing, account compromise, or anomalous behavior during the timeframe of the consent. +- Review `azure.auditlogs.properties.initiated_by.user.ipAddress` to assess the geographic source of the consent action. Unexpected locations or IP ranges may indicate adversary-controlled infrastructure. +- Review `azure.auditlogs.properties.target_resources.display_name` to evaluate whether the application name is familiar, expected, or potentially spoofing a known service. +- Review `azure.auditlogs.properties.target_resources.modified_properties.display_name` to inspect key indicators of elevated privilege or risk, including: + - ConsentContext.IsAdminConsent to determine if the application was granted tenant-wide admin access. + - ConsentContext.OnBehalfOfAll to identify whether the app was granted permissions on behalf of all users in the tenant. + - ConsentAction.Permissions to evaluate the specific scopes and data access the application requested. + - ConsentAction.Reason to understand if Microsoft flagged the activity or if any reason was recorded by the platform. + - TargetId.ServicePrincipalNames to confirm the service principal associated with the granted permissions. +- Review `azure.tenant_id` to confirm the activity originated from your tenant and is not related to a cross-tenant application. +- Review `@timestamp` and `azure.auditlogs.properties.correlation_id` to pivot into related sign-in, token usage, or application activity for further context. + +### False positive analysis + +- Some applications may request high-privilege scopes for legitimate purposes. Validate whether the application is verified, developed by Microsoft, or approved internally by your organization. +- Review publisher verification, app ownership, and scope alignment with the intended business use case. + +### Response and remediation + +- Revoke the application’s OAuth grant using Graph API or PowerShell. Use the Remove-AzureADOAuth2PermissionGrant cmdlet. +- Remove the associated service principal from Azure AD. +- Reset credentials or revoke tokens for affected users. +- Block the application via Conditional Access or Defender for Cloud Apps policies. +- Enable the Admin Consent Workflow in Azure AD to prevent unsanctioned user approvals in the future. +- Report any malicious applications to Microsoft to protect other tenants. +""" +references = [ + "https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-analysis-and-best-practices", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps", +] +risk_score = 47 +rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "azure.auditlogs" and + ( + azure.auditlogs.operation_name:"Consent to application" + or event.action:"Consent to application" + ) + and event.outcome: "success" + and azure.auditlogs.properties.additional_details.key: "AppId" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "event.action", + "event.outcome", + "azure.auditlogs.properties.initiated_by.user.userPrincipalName", + "azure.auditlogs.properties.initiated_by.user.ipAddress", + "azure.auditlogs.properties.additional_details.value", + "azure.tenant_id", + "cloud.region", + "azure.auditlogs.properties.target_resources.0.display_name" +] + +[rule.new_terms] +field = "new_terms_fields" +value = [ + "azure.auditlogs.properties.initiated_by.user.userPrincipalName", + "azure.auditlogs.properties.additional_details.value", +] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" + + diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml index 6e7e09e5912..be3ebf75d6f 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/10" +updated_date = "2025/03/25" [rule] author = ["Elastic"] @@ -13,13 +13,13 @@ an attempt to bypass conditional access policies (CAP) and multi-factor authenti authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Entra ID Rare Authentication Requirement for Principal User" +name = "Microsoft Entra ID Rare Authentication Requirement for Principal User" note = """## Triage and analysis -### Investigating Azure Entra ID Rare Authentication Requirement for Principal User +### Investigating Microsoft Entra ID Rare Authentication Requirement for Principal User Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. @@ -72,8 +72,8 @@ severity = "medium" tags = [ "Domain: Cloud", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Initial Access", @@ -85,8 +85,10 @@ type = "new_terms" query = ''' event.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.user_type: "Member" - and not azure.signinlogs.properties.client_app_used: "Browser" + and azure.signinlogs.properties.authentication_details.authentication_method: "Password" + and not azure.signinlogs.properties.device_detail.browser: * and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK" + and not azure.signinlogs.properties.authentication_requirement: "multiFactorAuthentication" ''' @@ -108,6 +110,24 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml deleted file mode 100644 index 78a2a290ba5..00000000000 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ /dev/null @@ -1,84 +0,0 @@ -[metadata] -creation_date = "2020/09/01" -integration = ["azure"] -maturity = "production" -updated_date = "2025/01/15" - -[rule] -author = ["Elastic"] -description = """ -Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to -resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action -such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to -weaken their target's security controls. -""" -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] -language = "kuery" -license = "Elastic License v2" -name = "Azure Conditional Access Policy Modified" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Azure Conditional Access Policy Modified - -Azure Conditional Access policies are critical for managing secure access to resources by enforcing specific conditions, such as requiring multi-factor authentication. Adversaries may exploit this by altering policies to weaken security, potentially bypassing authentication measures. The detection rule monitors logs for successful modifications to these policies, flagging potential unauthorized changes that could indicate malicious activity. - -### Possible investigation steps - -- Review the Azure activity and audit logs to identify the specific user account associated with the "Update conditional access policy" action and verify if the modification was authorized. -- Examine the details of the modified Conditional Access policy to understand the changes made, focusing on any alterations that could weaken security, such as the removal of multi-factor authentication requirements. -- Check the event.outcome field to confirm the success of the policy modification and correlate it with any recent access attempts or suspicious activities involving the affected resources. -- Investigate the history of changes to the Conditional Access policies to identify any patterns or repeated unauthorized modifications that could indicate persistent malicious activity. -- Assess the user's role and permissions to determine if they have legitimate access to modify Conditional Access policies, and review any recent changes to their account or role assignments. - -### False positive analysis - -- Routine administrative updates to Conditional Access policies by authorized IT personnel can trigger alerts. To manage this, maintain a list of authorized users and their expected activities, and create exceptions for these users in the monitoring system. -- Scheduled policy reviews and updates as part of regular security audits may also result in false positives. Document these activities and schedule them during known maintenance windows to differentiate them from unauthorized changes. -- Automated scripts or tools used for policy management might generate alerts if they modify policies. Ensure these tools are properly documented and their actions are logged separately to distinguish them from potential threats. -- Changes made during the onboarding or offboarding of employees can appear as suspicious activity. Implement a process to log these events separately and cross-reference them with HR records to verify legitimacy. -- Integration with third-party security solutions that modify policies for compliance or optimization purposes can lead to false positives. Establish a clear change management process and whitelist these integrations to prevent unnecessary alerts. - -### Response and remediation - -- Immediately review the modified Conditional Access policy to understand the changes made and assess the potential impact on security controls. -- Revert any unauthorized or suspicious changes to the Conditional Access policy to restore the original security posture. -- Conduct a thorough investigation to identify the source of the modification, including reviewing audit logs for unusual activity or unauthorized access attempts. -- Temporarily increase monitoring and logging of Conditional Access policy changes to detect any further unauthorized modifications. -- Notify the security team and relevant stakeholders about the incident and the steps taken to mitigate the risk. -- If malicious activity is confirmed, initiate an incident response process, including isolating affected accounts and conducting a full security assessment. -- Implement additional security measures, such as stricter access controls or enhanced multi-factor authentication requirements, to prevent similar incidents in the future. - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"] -risk_score = 47 -rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" -severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.dataset:(azure.activitylogs or azure.auditlogs) and -event.action:"Update conditional access policy" and event.outcome:(Success or success) -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml new file mode 100644 index 00000000000..42a77a91377 --- /dev/null +++ b/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml @@ -0,0 +1,117 @@ +[metadata] +creation_date = "2021/05/05" +integration = ["azure"] +maturity = "production" +updated_date = "2025/03/26" + +[rule] +author = ["Elastic", "Austin Songer"] +description = """ +Identifies when new Service Principal credentials have been added in Microsoft Entra ID. In most organizations, +credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or +certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA +requirements. +""" +false_positives = [ + """ + Service principal credential additions may be done by a system or network administrator. Verify whether the + username, hostname, and/or resource name should be making changes in your environment. Credential additions from + unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted + from the rule. + """, +] +from = "now-9m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Microsoft Entra ID Service Principal Credentials Added by Rare User" +note = """## Triage and analysis + +### Investigating Microsoft Entra ID Service Principal Credentials Added by Rare User + +This rule identifies the addition of new credentials (client secrets or certificates) to a Microsoft Entra ID (formerly Azure AD) service principal by a user who has not previously performed this operation in the last 10 days. Adversaries who obtain temporary or persistent access to a user account may add rogue credentials to service principals in order to maintain unauthorized access to cloud resources. + +This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects rare users performing sensitive identity-related actions in Entra ID. + +#### Possible Investigation Steps +- Identify the Actor: Review the `azure.auditlogs.properties.initiated_by.user.user_principal_name` and `azure.auditlogs.properties.initiated_by.user.id` fields to identify the user account performing the action. Determine if this user typically manages service principals. +- Check for Known Admin or Automation Context: Validate if the action was expected (e.g., part of a deployment pipeline or credential rotation process). Investigate whether this is a known administrative account or an automated service principal maintainer. +- Inspect Credential Type: Determine if a certificate or client secret was added, and assess its expiration time, usage scope, and whether it aligns with internal practices. +- Correlate with Other Events: Look for surrounding events such as creation of new service principals, assignment of roles or permissions, or suspicious application sign-ins that could indicate persistence or privilege escalation. +- Analyze Source of Activity: Review `source.ip` and `user_agent.original` fields to assess whether the request came from a trusted network or device. Unexpected geolocations, hosting providers, or Linux CLI-based user agents may indicate unauthorized activity. + +### False Positive Analysis +- Routine Administrative Tasks: This alert may trigger when legitimate administrators or DevOps engineers rotate credentials for service principals as part of normal operations. +- First-Time Actions by Known Accounts: If a new user joins the team or an existing user is performing this task for the first time in the observed period, it may be expected behavior. Verify with the relevant team. + +### Response and Remediation +- Revoke Unauthorized Credentials: If suspicious, disable or delete the newly added service principal credential immediately. +- Investigate User Account: Review the login history, IP address usage, and other activity from the initiating user to determine whether the account is compromised. +- Audit Affected Service Principal: Evaluate the permissions granted to the service principal to understand the potential impact of misuse. +- Review RBAC and Least Privilege: Ensure that only authorized identities have permission to add credentials to service principals. Tighten IAM role definitions if necessary. +- Enable Just-in-Time or Approval-Based Access: Consider implementing access control policies that require approvals for modifying service principals or adding credentials. + +### Additional Information + +For more information on securing Microsoft Entra ID applications and service principals, refer to: +- [Hardening Microsoft 365 and Azure AD – Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452) +- [Azure AD Privilege Escalation – Dirkjan Mollema](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/) +- [Microsoft Entra Best Practices](https://learn.microsoft.com/en-us/entra/fundamentals/security-best-practices) +""" + +references = [ + "https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", + "https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", +] +risk_score = 47 +rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "azure.auditlogs" + and azure.auditlogs.operation_name:"Add service principal credentials" + and event.outcome: "success" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.new_terms] +field = "new_terms_fields" +value = [ + "azure.auditlogs.properties.target_resources.0.display_name", + "azure.auditlogs.properties.initiated_by.user.id", +] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" + + diff --git a/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml new file mode 100644 index 00000000000..674ba5a966b --- /dev/null +++ b/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml @@ -0,0 +1,116 @@ +[metadata] +creation_date = "2020/09/01" +integration = ["azure"] +maturity = "production" +updated_date = "2025/03/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity. +""" +from = "now-9m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Microsoft Entra ID Conditional Access Policy (CAP) Modified" +note = """## Triage and analysis + +## Investigation Guide: Microsoft Entra ID Conditional Access Policy (CAP) Modified + +Azure Conditional Access Policies (CAPs) are critical for enforcing secure access requirements such as multi-factor authentication (MFA), restricting specific users or groups, and managing sign-in conditions. Modifying these policies can be a technique for weakening an organization’s defenses and maintaining persistence after initial access. + +This rule detects a successful update to a Conditional Access Policy in Microsoft Entra ID (formerly Azure AD). + +### Possible Investigation Steps + +- **Identify the user who modified the policy:** + - Check the value of `azure.auditlogs.properties.initiated_by.user.userPrincipalName` to determine the identity that made the change. + - Investigate their recent activity to determine if this change was expected or authorized. + +- **Review the modified policy name:** + - Look at `azure.auditlogs.properties.target_resources.*.display_name` to find the name of the affected policy. + - Determine whether this policy is related to critical controls (e.g., requiring MFA for admins). + +- **Analyze the policy change:** + - Compare the `old_value` and `new_value` fields under `azure.auditlogs.properties.target_resources.*.modified_properties.*`. + - Look for security-reducing changes, such as: + - Removing users/groups from enforcement. + - Disabling MFA or risk-based conditions. + - Introducing exclusions that reduce the policy’s coverage. + +- **Correlate with other activity:** + - Pivot on `azure.auditlogs.properties.activity_datetime` to identify if any suspicious sign-ins occurred after the policy was modified. + - Check for related authentication logs, particularly from the same IP address (`azure.auditlogs.properties.initiated_by.user.ipAddress`). + +- **Assess the user's legitimacy:** + - Review the initiator’s Azure role, group memberships, and whether their account was recently elevated or compromised. + - Investigate whether this user has a history of modifying policies or if this is anomalous. + +### Validation & False Positive Considerations + +- **Authorized administrative changes:** Some organizations routinely update CAPs as part of policy tuning or role-based access reviews. +- **Security reviews or automation:** Scripts, CI/CD processes, or third-party compliance tools may programmatically update CAPs. +- **Employee lifecycle events:** Policy changes during employee onboarding/offboarding may include updates to access policies. + +If any of these cases apply and align with the activity's context, consider tuning the rule or adding exceptions for expected patterns. + +### Response & Remediation + +- Revert unauthorized or insecure changes to the Conditional Access Policy immediately. +- Temporarily increase monitoring of CAP modifications and sign-in attempts. +- Lock or reset the credentials of the user account that made the change if compromise is suspected. +- Conduct a broader access review of conditional access policies and privileged user activity. +- Implement stricter change management and alerting around CAP changes. +""" +references = [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview", + "https://www.rezonate.io/blog/microsoft-entra-id-the-complete-guide-to-conditional-access-policies/" +] +risk_score = 47 +rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "azure.auditlogs" + and event.action:"Update conditional access policy" + and event.outcome: "success" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml b/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml index 5e8cc1b19c9..e470b7e5e87 100644 --- a/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2025/02/25" maturity = "production" -updated_date = "2025/02/25" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually high volume and frequency -of requests or patterns of requests that are known to cause performance degradation or service disruption, such as -large input sizes or rapid API calls. +Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually +high volume and frequency of requests or patterns of requests that are known to cause performance degradation or service +disruption, such as large input sizes or rapid API calls. """ false_positives = ["Unexpected system errors", "Legitimate spikes in usage due to business processes"] from = "now-60m" @@ -18,9 +16,44 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Potential Denial of Azure OpenAI ML Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Denial of Azure OpenAI ML Service + +Azure OpenAI ML services enable scalable deployment of machine learning models, crucial for AI-driven applications. Adversaries may exploit these services by overwhelming them with excessive or malformed requests, leading to service degradation or outages. The detection rule identifies such threats by monitoring for high-frequency, large-size requests, which are indicative of potential denial-of-service attacks. + +### Possible investigation steps + +- Review the logs for the specific time window identified by the target_time_window field to understand the context and volume of requests. +- Identify the specific Azure resource involved using the azure.resource.name field to determine if the service is critical or sensitive. +- Examine the cloud.account.id field to ascertain if the requests are originating from a known or trusted account, or if they are potentially malicious. +- Analyze the request patterns, focusing on the avg_request_size and count fields, to determine if the requests are consistent with normal usage or indicative of a potential attack. +- Check for any recent changes or updates to the Azure OpenAI ML service configuration or deployment that might have affected its performance or security posture. +- Correlate the findings with other security logs or alerts to identify any related suspicious activities or broader attack patterns. + +### False positive analysis + +- High-volume legitimate usage patterns can trigger false positives, such as during scheduled batch processing or data analysis tasks. Users can mitigate this by setting exceptions for known time windows or specific resource names associated with these activities. +- Large input sizes from legitimate applications, like those processing extensive datasets or complex queries, may be misidentified as threats. Users should identify and whitelist these applications by their resource names or account IDs. +- Testing and development environments often generate high-frequency requests as part of load testing or performance tuning. Users can exclude these environments by filtering out specific resource names or account IDs associated with non-production activities. +- Automated scripts or integrations that interact with the Azure OpenAI ML service at high frequencies for valid business processes might be flagged. Users should document and exclude these scripts by identifying their unique request patterns or resource identifiers. + +### Response and remediation + +- Immediately throttle or block the IP addresses or accounts responsible for the high-frequency, large-size requests to prevent further service degradation. +- Notify the Azure OpenAI service administrators and relevant stakeholders about the detected potential denial-of-service attack for awareness and further action. +- Review and adjust rate limiting and request size policies on the Azure OpenAI ML service to mitigate the impact of similar attacks in the future. +- Conduct a post-incident analysis to identify any vulnerabilities or misconfigurations that allowed the attack to occur and address them promptly. +- Escalate the incident to the security operations team for further investigation and to determine if the attack is part of a larger threat campaign. +- Implement additional monitoring and alerting for unusual patterns of requests, focusing on high volume and frequency, to enhance early detection of similar threats. +- Coordinate with the cloud provider's support team to ensure any necessary infrastructure adjustments or protections are in place to prevent recurrence. +""" references = [ "https://genai.owasp.org/llmrisk/llm04-model-denial-of-service", - "https://atlas.mitre.org/techniques/AML.T0029" + "https://atlas.mitre.org/techniques/AML.T0029", ] risk_score = 47 rule_id = "b0450411-46e5-46d2-9b35-8b5dd9ba763e" @@ -36,7 +69,8 @@ tags = [ "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Denial of Service", - "Mitre Atlas: T0029" + "Mitre Atlas: T0029", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" @@ -51,3 +85,4 @@ from logs-azure_openai.logs-* | where count >= 10 and avg_request_size >= 5000 | sort count desc ''' + diff --git a/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml b/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml index 85972ad63f7..9a77b283ba6 100644 --- a/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2025/02/25" maturity = "production" -updated_date = "2025/02/25" -min_stack_comments = "ES|QL rule type is still in experimental as of 8.13, however this rule was tested successfully; integration in experimental" -min_stack_version = "8.13.0" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling -that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails -to handle outputs correctly under certain input conditions. +Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling that +might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails to +handle outputs correctly under certain input conditions. """ false_positives = ["Queries that are designed to expect empty responses or benign system errors"] from = "now-60m" @@ -18,9 +16,41 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Azure OpenAI Insecure Output Handling" -references = [ - "https://genai.owasp.org/llmrisk/llm02-insecure-output-handling" -] +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Azure OpenAI Insecure Output Handling + +Azure OpenAI integrates AI capabilities into applications, enabling natural language processing tasks. However, improper output handling can lead to vulnerabilities, such as data leaks or unauthorized code execution. Adversaries might exploit these by crafting inputs that cause the API to mishandle responses. The detection rule identifies anomalies by flagging instances where API responses are unexpectedly empty, suggesting potential misuse or misconfiguration, especially when such events occur frequently. + +### Possible investigation steps + +- Review the logs for the specific Azure resource name flagged in the alert to understand the context and frequency of zero-length responses. +- Examine the request lengths associated with the zero-length responses to identify any patterns or anomalies in the input data that might be causing the issue. +- Check the cloud account ID associated with the alert to determine if there are any known issues or recent changes in configuration that could affect output handling. +- Investigate the operation name "ChatCompletions_Create" to ensure that the API is being used as intended and that there are no unauthorized or unexpected uses. +- Assess the overall environment for any recent updates or changes in the Azure OpenAI configuration that might have impacted output handling. + +### False positive analysis + +- Frequent legitimate requests with zero response length can occur during testing or development phases. To manage this, exclude known test environments or accounts from the detection rule by adding exceptions for specific cloud.account.id or azure.resource.name values. +- Some applications may intentionally send requests that do not require a response, resulting in zero response length. Identify these applications and adjust the rule to exclude their specific azure.resource.name. +- Network issues or temporary service disruptions can lead to zero-length responses. Monitor for patterns of such occurrences and consider excluding specific time frames or network segments if they are known to cause false positives. +- Automated scripts or bots that interact with the API might generate zero-length responses as part of their normal operation. Identify these scripts and exclude their associated identifiers from the rule to prevent false alerts. + +### Response and remediation + +- Immediately isolate the affected Azure OpenAI resource to prevent further exploitation. This can be done by temporarily disabling the API or restricting access to it. +- Review and validate the input handling mechanisms of the affected API to ensure they are robust against malformed or malicious inputs that could lead to insecure output handling. +- Conduct a thorough audit of recent API requests and responses to identify any unauthorized access or data leaks. Pay special attention to requests with zero response length. +- Implement additional logging and monitoring for the affected API to capture detailed information about requests and responses, which can help in identifying patterns or repeated attempts of exploitation. +- Notify the security team and relevant stakeholders about the incident, providing them with detailed findings and any potential impact on data security. +- If unauthorized access or data leakage is confirmed, follow the organization's incident response plan to notify affected parties and comply with any regulatory requirements. +- Enhance detection capabilities by integrating anomaly detection tools that can identify unusual patterns in API usage, such as frequent zero-length responses, to prevent similar threats in the future. +""" +references = ["https://genai.owasp.org/llmrisk/llm02-insecure-output-handling"] risk_score = 21 rule_id = "fb16f9ef-cb03-4234-adc2-44641f3b71ee" setup = """## Setup @@ -34,7 +64,8 @@ tags = [ "Domain: LLM", "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", - "Use Case: Insecure Output Handling" + "Use Case: Insecure Output Handling", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" @@ -47,3 +78,4 @@ from logs-azure_openai.logs-* | where count >= 10 | sort count desc ''' + diff --git a/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml b/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml index c32f409c601..b1bb72f1ec6 100644 --- a/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2025/02/25" maturity = "production" -updated_date = "2025/02/25" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" -min_stack_version = "8.13.0" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -Monitors for suspicious activities that may indicate theft or unauthorized duplication of machine learning (ML) models, such as -unauthorized API calls, atypical access patterns, or large data transfers that are unusual during model interactions. +Monitors for suspicious activities that may indicate theft or unauthorized duplication of machine learning (ML) models, +such as unauthorized API calls, atypical access patterns, or large data transfers that are unusual during model +interactions. """ false_positives = ["Authorized model training", "Legitimate high volume data exchanges during scheduled updates"] from = "now-60m" @@ -17,10 +16,41 @@ interval = "10m" language = "esql" license = "Elastic License v2" name = "Potential Azure OpenAI Model Theft" -references = [ - "https://genai.owasp.org/llmrisk/llm10-model-theft", - "https://atlas.mitre.org/techniques/AML.T0044" -] +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Azure OpenAI Model Theft + +Azure OpenAI models are integral to many applications, providing advanced machine learning capabilities. Adversaries may exploit these models by making unauthorized API calls or transferring large volumes of data, potentially indicating model theft. The detection rule identifies such threats by monitoring audit logs for unusual access patterns or excessive data transfers, flagging activities that deviate from normal usage. + +### Possible investigation steps + +- Review the audit logs for the specific resource group and resource name flagged in the alert to understand the context of the access patterns. +- Analyze the timestamps associated with the suspicious activities to determine if they align with known operational periods or if they occur during unusual times. +- Investigate the source of the API calls by identifying the IP addresses or user accounts involved in the "ListKey" operations to determine if they are authorized or known entities. +- Examine the response length data to assess whether the volume of data transferred is consistent with legitimate use cases or if it suggests potential data exfiltration. +- Cross-reference the flagged activities with other security logs or alerts to identify any correlated suspicious behavior or potential indicators of compromise. + +### False positive analysis + +- High-frequency legitimate API calls from automated scripts or applications may trigger the rule. Users can create exceptions for known scripts by identifying their specific access patterns and excluding them from the rule. +- Large data transfers during scheduled model updates or backups can be mistaken for suspicious activity. Users should whitelist these operations by correlating them with scheduled maintenance windows or known update events. +- Regular access by trusted internal teams for model evaluation or testing might appear as atypical patterns. Users can mitigate this by maintaining a list of authorized personnel and their expected access behaviors, then excluding these from the alert criteria. +- Integration with other Azure services that require frequent access to OpenAI models could generate false positives. Users should document these integrations and adjust the rule to recognize and exclude these legitimate interactions. + +### Response and remediation + +- Immediately isolate the affected Azure resources by restricting network access to prevent further unauthorized API calls or data transfers. +- Revoke and regenerate API keys associated with the compromised Azure OpenAI resources to prevent further unauthorized access. +- Conduct a thorough review of audit logs to identify any additional unauthorized access attempts or data transfers, and document all findings for further analysis. +- Notify the security operations team and relevant stakeholders about the potential model theft incident to ensure coordinated response efforts. +- Implement additional monitoring on the affected resources to detect any further suspicious activities, focusing on access patterns and data transfer volumes. +- Escalate the incident to the organization's incident response team for a comprehensive investigation and to determine if any data exfiltration occurred. +- Review and update access controls and permissions for Azure OpenAI resources to ensure they adhere to the principle of least privilege, reducing the risk of future unauthorized access. +""" +references = ["https://genai.owasp.org/llmrisk/llm10-model-theft", "https://atlas.mitre.org/techniques/AML.T0044"] risk_score = 47 rule_id = "4021e78d-5293-48d3-adee-a70fa4c18fab" setup = """## Setup @@ -36,7 +66,8 @@ tags = [ "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Model Theft", - "Mitre Atlas: T0044" + "Mitre Atlas: T0044", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" @@ -49,3 +80,4 @@ from logs-azure_openai.logs-* | where count >= 100 or max_data_transferred >= 1000000 | sort count desc ''' + diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml index 8bb3d7440cf..6efe866ae2d 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Memory Threat - Detected - Elastic Defend" note = """## Triage and analysis @@ -102,13 +102,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml index 89703207083..30c8f39a92d 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Memory Threat - Prevented- Elastic Defend" note = """## Triage and analysis @@ -101,13 +101,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index e0fe44c9c19..92653c37c11 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -2,16 +2,14 @@ creation_date = "2020/07/08" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to -immediately begin investigating your Endpoint alerts. +Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately +begin investigating your Endpoint alerts. """ enabled = true from = "now-2m" @@ -19,47 +17,8 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Endpoint Security (Elastic Defend)" - -risk_score = 47 -rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" -rule_name_override = "message" -setup = """ -## Setup - -### Elastic Defend Alerts -If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts. - -If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately. - -Related rules: -- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) -- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) -- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) -- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) -- Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) -- Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) -- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) -- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) - -### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. - -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. -""" -severity = "medium" -tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.kind:alert and event.module:(endpoint and not endgame) -''' note = """## Triage and analysis > **Disclaimer**: @@ -95,6 +54,38 @@ Elastic Defend is a robust endpoint security solution that monitors and protects - Update endpoint security configurations and signatures to prevent similar threats from exploiting the same vulnerabilities in the future. - Restore the affected endpoint from a known good backup if necessary, ensuring that the system is free from any residual threats. - Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional systems may be affected.""" +risk_score = 47 +rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" +rule_name_override = "message" +setup = """## Setup + +### Elastic Defend Alerts +If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts. + +If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately. + +Related rules: +- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce) +- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce) +- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce) +- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce) +- Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce) +- Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce) +- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce) +- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce) + +### Additional notes + +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" +severity = "medium" +tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.kind:alert and event.module:(endpoint and not endgame) +''' [[rule.exceptions_list]] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml index 2e974c5e182..545b32f35d9 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Behavior - Detected - Elastic Defend" note = """## Triage and analysis @@ -85,13 +85,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml index e7cfc0d2077..bb24e18e9c4 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Behavior - Prevented - Elastic Defend" note = """## Triage and analysis @@ -86,13 +86,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml index 3db40040cfd..27540bdadbf 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malicious File - Detected - Elastic Defend" note = """## Triage and analysis @@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml index 39d13c7be2f..f456b755cd1 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malicious File - Prevented - Elastic Defend" note = """## Triage and analysis @@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml index 60feb66107a..0690b835f0d 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Detected - Elastic Defend" note = """## Triage and analysis @@ -84,13 +84,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml index 2247a29ec10..bb35e257d25 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml @@ -5,7 +5,7 @@ maturity = "production" min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." min_stack_version = "8.16.0" promotion = true -updated_date = "2025/02/06" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Prevented - Elastic Defend" note = """## Triage and analysis @@ -85,13 +85,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). ### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"] diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index f2b2ded39ab..505b0df6390 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,17 +17,6 @@ index = ["logs-github.audit-*"] language = "eql" license = "Elastic License v2" name = "GitHub Protected Branch Settings Changed" -risk_score = 47 -rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50" -severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -configuration where event.dataset == "github.audit" - and github.category == "protected_branch" and event.type == "change" -''' note = """## Triage and analysis > **Disclaimer**: @@ -64,6 +51,23 @@ GitHub's protected branch settings are crucial for maintaining code integrity by - Implement additional monitoring on the affected repository to detect any further unauthorized changes or suspicious activities. - Review and update access controls and permissions for the repository to ensure that only authorized personnel can modify branch protection settings. - Document the incident, including the timeline of events and actions taken, to improve future response efforts and update incident response plans.""" +risk_score = 47 +rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" + and github.category == "protected_branch" and event.type == "change" +''' [[rule.threat]] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 7df27b1522f..5bf9ba190ef 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,16 +12,6 @@ index = ["logs-github.audit-*"] language = "eql" license = "Elastic License v2" name = "GitHub App Deleted" -risk_score = 21 -rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" -severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" -''' note = """## Triage and analysis > **Disclaimer**: @@ -59,6 +47,22 @@ GitHub Apps are integrations that extend GitHub's functionality, often used to a - Implement additional monitoring on the affected repositories or organization to detect any further suspicious activities or attempts to delete apps. - Review and tighten permissions for GitHub apps to ensure only authorized personnel have the ability to delete or modify app installations. - Escalate the incident to higher-level security management if there is evidence of a broader compromise or if the deletion is part of a larger attack campaign.""" +risk_score = 21 +rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" +severity = "low" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" +''' [[rule.threat]] diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index e2a6531a045..723fabe54ae 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,25 +15,6 @@ index = ["logs-github.audit-*"] language = "kuery" license = "Elastic License v2" name = "High Number of Cloned GitHub Repos From PAT" -risk_score = 21 -rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" -severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Data Source: Github", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "threshold" - -query = ''' -event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and -github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and -github.repository_public:false -''' note = """## Triage and analysis > **Disclaimer**: @@ -70,6 +49,25 @@ Personal Access Tokens (PATs) facilitate automated access to GitHub repositories - Monitor for any unusual activity or further unauthorized access attempts using other PATs or credentials. - Escalate the incident to the security team for a comprehensive investigation and to determine if any other systems or data have been compromised. - Update and enforce policies regarding the creation, usage, and management of PATs to prevent similar incidents in the future.""" +risk_score = 21 +rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" +severity = "low" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and +github.repository_public:false +''' [[rule.threat]] diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index f6a63c75a1b..1bd5931c41a 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,24 +15,6 @@ index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "GitHub UEBA - Multiple Alerts from a GitHub Account" -risk_score = 47 -rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" -severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: Higher-Order Rule", - "Data Source: Github", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "threshold" - -query = ''' -signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" -''' note = """## Triage and analysis > **Disclaimer**: @@ -70,6 +50,24 @@ User and Entity Behavior Analytics (UEBA) in GitHub environments helps identify - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional accounts or systems are affected. - Implement additional monitoring on the affected account and related systems to detect any further suspicious activity. - Update and refine access controls and permissions for the affected account to minimize the risk of future unauthorized actions.""" +risk_score = 47 +rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" +''' [[rule.threat]] diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 3fae7bd4642..d7a9a7fb68d 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,16 +18,6 @@ index = ["logs-github.audit-*"] language = "eql" license = "Elastic License v2" name = "New GitHub App Installed" -risk_score = 47 -rule_id = "1ca62f14-4787-4913-b7af-df11745a49da" -severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" -''' note = """## Triage and analysis > **Disclaimer**: @@ -64,6 +52,22 @@ GitHub Apps enhance functionality by integrating with repositories and organizat - Escalate the incident to higher-level security management if the app installation is linked to a broader security breach or if sensitive data has been compromised. - Implement stricter access controls and approval processes for future GitHub App installations to prevent unauthorized installations. - Update detection mechanisms to include additional indicators of compromise related to GitHub App installations, enhancing future threat detection capabilities.""" +risk_score = 47 +rule_id = "1ca62f14-4787-4913-b7af-df11745a49da" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" +''' [[rule.threat]] diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index 663e5d4326e..19dff9fd749 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,23 +17,6 @@ index = ["logs-github.audit-*"] language = "eql" license = "Elastic License v2" name = "GitHub Repository Deleted" -risk_score = 47 -rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" -severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Data Source: Github", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy" -''' note = """## Triage and analysis > **Disclaimer**: @@ -69,6 +50,23 @@ GitHub repositories are essential for managing code and collaboration within org - Implement additional access controls, such as multi-factor authentication and role-based access, to prevent unauthorized deletions in the future. - Escalate the incident to higher management and legal teams if intellectual property theft or significant data loss is suspected. - Enhance monitoring and alerting mechanisms to detect similar unauthorized actions promptly, leveraging the MITRE ATT&CK framework for guidance on potential threat vectors.""" +risk_score = 47 +rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy" +''' [[rule.threat]] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 6caa8361a05..6ebccba2979 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,23 +16,6 @@ index = ["logs-github.audit-*"] language = "eql" license = "Elastic License v2" name = "New GitHub Owner Added" -risk_score = 47 -rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" -severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" -''' note = """## Triage and analysis > **Disclaimer**: @@ -70,6 +51,23 @@ GitHub organizations allow collaborative management of repositories, where the ' - Review and update access control policies to ensure that owner roles are granted only to verified and necessary personnel. - Implement additional monitoring and alerting for any future changes to GitHub organization roles to detect similar threats promptly. - If evidence of compromise is found, consider engaging with a digital forensics team to assess the full impact and scope of the breach.""" +risk_score = 47 +rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" +''' [[rule.threat]] diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index dec4ab5c005..c8b2b1f0fc5 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,23 +16,6 @@ index = ["logs-github.audit-*"] language = "eql" license = "Elastic License v2" name = "GitHub Owner Role Granted To User" -risk_score = 47 -rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" -severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" -''' note = """## Triage and analysis > **Disclaimer**: @@ -68,6 +49,23 @@ In GitHub organizations, the owner role grants comprehensive administrative priv - Notify the security team and relevant stakeholders about the potential breach and involve them in the investigation and remediation process. - Review and update access control policies to ensure that owner roles are granted only through a formal approval process and are regularly audited. - Implement additional monitoring and alerting for changes to high-privilege roles within the organization to detect similar threats in the future.""" +risk_score = 47 +rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" +''' [[rule.threat]] diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index b4a44b5ae46..1703382559e 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,9 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -min_stack_comments = "ES|QL in technical preview" -min_stack_version = "8.13.0" -updated_date = "2025/02/19" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -118,7 +116,6 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index af9ae71f8f1..51ed12cd1af 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -2,14 +2,14 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] description = """ -Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services. +Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login +attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain +unauthorized access to Microsoft 365 services. """ false_positives = [ """ @@ -21,6 +21,41 @@ from = "now-9m" language = "esql" license = "Elastic License v2" name = "Attempts to Brute Force a Microsoft 365 User Account" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Attempts to Brute Force a Microsoft 365 User Account + +Microsoft 365 is a cloud-based service that provides productivity tools and services. Adversaries may attempt to gain unauthorized access by brute-forcing user accounts, exploiting weak passwords. The detection rule identifies such attempts by analyzing audit logs for numerous failed logins or diverse login sources within a short timeframe, indicating potential brute-force activity. + +### Possible investigation steps + +- Review the audit logs for the specific user identified by o365.audit.UserId to gather additional context on the failed login attempts, including timestamps and source IP addresses. +- Analyze the source.ip field to identify any unusual or suspicious IP addresses, such as those originating from unexpected geographic locations or known malicious sources. +- Check the o365.audit.LogonError field for any patterns or specific errors that might provide insight into the nature of the failed login attempts. +- Investigate the o365.audit.ExtendedProperties.RequestType to determine if the login attempts were consistent with typical user behavior or if they suggest automated or scripted activity. +- Correlate the findings with other security events or alerts in the environment to assess if the brute-force attempts are part of a larger attack campaign or isolated incidents. +- Contact the affected user to verify if they experienced any issues accessing their account and to ensure they are aware of the potential security threat. + +### False positive analysis + +- High volume of legitimate login attempts from a single user can trigger false positives, especially during password resets or account recovery. To mitigate, consider excluding specific users or IP ranges known for such activities. +- Automated scripts or applications performing frequent logins for legitimate purposes may be misidentified as brute-force attempts. Identify and whitelist these scripts or applications by their user IDs or IP addresses. +- Users traveling or using VPNs may log in from multiple locations in a short period, leading to false positives. Implement geolocation-based exceptions for known travel patterns or VPN IP addresses. +- Shared accounts accessed by multiple users from different locations can appear as multiple login sources. Limit monitoring on shared accounts or establish a baseline of expected behavior to differentiate between normal and suspicious activity. +- Temporary spikes in login attempts due to system maintenance or updates can be mistaken for brute-force attacks. Schedule monitoring exclusions during planned maintenance windows to avoid false alerts. + +### Response and remediation + +- Immediately isolate the affected user account by disabling it to prevent further unauthorized access attempts. +- Notify the user and relevant IT security personnel about the potential compromise and provide guidance on secure password creation. +- Conduct a password reset for the affected user account, ensuring the new password adheres to strong password policies. +- Review and analyze the source IP addresses involved in the failed login attempts to identify any patterns or known malicious sources. +- Implement conditional access policies to restrict login attempts from suspicious or untrusted locations and devices. +- Monitor the affected account and related accounts for any unusual activity or further unauthorized access attempts. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional accounts or systems are affected.""" references = [ "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem", "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties", @@ -87,41 +122,6 @@ from logs-o365.audit-* // filter for users with more than 20 login sources or failed login attempts | where (login_source_count >= 20 or failed_login_count >= 20) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Attempts to Brute Force a Microsoft 365 User Account - -Microsoft 365 is a cloud-based service that provides productivity tools and services. Adversaries may attempt to gain unauthorized access by brute-forcing user accounts, exploiting weak passwords. The detection rule identifies such attempts by analyzing audit logs for numerous failed logins or diverse login sources within a short timeframe, indicating potential brute-force activity. - -### Possible investigation steps - -- Review the audit logs for the specific user identified by o365.audit.UserId to gather additional context on the failed login attempts, including timestamps and source IP addresses. -- Analyze the source.ip field to identify any unusual or suspicious IP addresses, such as those originating from unexpected geographic locations or known malicious sources. -- Check the o365.audit.LogonError field for any patterns or specific errors that might provide insight into the nature of the failed login attempts. -- Investigate the o365.audit.ExtendedProperties.RequestType to determine if the login attempts were consistent with typical user behavior or if they suggest automated or scripted activity. -- Correlate the findings with other security events or alerts in the environment to assess if the brute-force attempts are part of a larger attack campaign or isolated incidents. -- Contact the affected user to verify if they experienced any issues accessing their account and to ensure they are aware of the potential security threat. - -### False positive analysis - -- High volume of legitimate login attempts from a single user can trigger false positives, especially during password resets or account recovery. To mitigate, consider excluding specific users or IP ranges known for such activities. -- Automated scripts or applications performing frequent logins for legitimate purposes may be misidentified as brute-force attempts. Identify and whitelist these scripts or applications by their user IDs or IP addresses. -- Users traveling or using VPNs may log in from multiple locations in a short period, leading to false positives. Implement geolocation-based exceptions for known travel patterns or VPN IP addresses. -- Shared accounts accessed by multiple users from different locations can appear as multiple login sources. Limit monitoring on shared accounts or establish a baseline of expected behavior to differentiate between normal and suspicious activity. -- Temporary spikes in login attempts due to system maintenance or updates can be mistaken for brute-force attacks. Schedule monitoring exclusions during planned maintenance windows to avoid false alerts. - -### Response and remediation - -- Immediately isolate the affected user account by disabling it to prevent further unauthorized access attempts. -- Notify the user and relevant IT security personnel about the potential compromise and provide guidance on secure password creation. -- Conduct a password reset for the affected user account, ensuring the new password adheres to strong password policies. -- Review and analyze the source IP addresses involved in the failed login attempts to identify any patterns or known malicious sources. -- Implement conditional access policies to restrict login attempts from suspicious or untrusted locations and devices. -- Monitor the affected account and related accounts for any unusual activity or further unauthorized access attempts. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional accounts or systems are affected.""" [[rule.threat]] diff --git a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml index be81fa89cc4..332c48076c3 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/26" [rule] author = ["Elastic"] @@ -94,7 +94,8 @@ not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e36 "d73f4b35-55c9-48c7-8b10-651f6f2acb2e" or "d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0" or "de8bc8b5-d9f9-48b1-a8ad-b748da725064" or "dfe74da8-9279-44ec-8fb2-2aed9e1c73d0" or "e1ef36fd-b883-4dbf-97f0-9ece4b576fc6" or "e64aa8bc-8eb4-40e2-898b-cf261a25954f" or "e9f49c6b-5ce5-44c8-925d-015017e9f7ad" or "ee272b19-4411-433f-8f28-5c13cb6fd407" or "f5eaa862-7f08-448c-9c4e-f4047d4d4521" or - "fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302" + "fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302" or + "9199bf20-a13f-4107-85dc-02114787ef48" ) ''' diff --git a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml new file mode 100644 index 00000000000..e18f124d09c --- /dev/null +++ b/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml @@ -0,0 +1,154 @@ +[metadata] +creation_date = "2025/03/24" +integration = ["o365"] +maturity = "production" +updated_date = "2025/03/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies an Microsoft 365 illicit consent grant request on-behalf-of a registered Entra ID application. Adversaries +may create and register an application in Microsoft Entra ID for the purpose of requesting user consent to access +resources in Microsoft 365. This is accomplished by tricking a user into granting consent to the application, typically +via a pre-made phishing URL. This establishes an OAuth grant that allows the malicious client applocation to access +resources in Microsoft 365 on-behalf-of the user. +""" +from = "now-9m" +index = ["filebeat-*", "logs-o365**"] +language = "kuery" +license = "Elastic License v2" +name = "Microsoft 365 Illicit Consent Grant via Registered Application" +note = """## Triage and analysis + +### Investigating Microsoft 365 Illicit Consent Grant via Registered Application + +Adversaries may register a malicious application in Microsoft Entra ID and trick users into granting excessive permissions via OAuth consent. These apps can access sensitive Microsoft 365 data—such as mail, profiles, and files—on behalf of the user once consent is granted. This activity is often initiated through spearphishing campaigns that direct the user to a pre-crafted OAuth consent URL. + +This rule identifies a new consent grant to an application using Microsoft 365 audit logs. Additionally, this is a New Terms rule that will only trigger if the user and client ID have not been seen doing this activity in the last 14 days. + +#### Possible investigation steps + +- **Review the app in Entra ID**: + - Go to **Enterprise Applications** in the Azure portal. + - Search for the `AppId` or name from `o365.audit.ObjectId`. + - Review granted API permissions and whether admin consent was required. + - Check the `Publisher` and `Verified` status. + +- **Assess the user who granted consent**: + - Investigate `o365.audit.UserId` (e.g., `terrance.dejesus@...`) for signs of phishing or account compromise. + - Check if the user was targeted in recent phishing simulations or campaigns. + - Review the user’s sign-in logs for suspicious geolocation, IP, or device changes. + +- **Determine scope and risk**: + - Use the `ConsentContext_IsAdminConsent` and `ConsentContext_OnBehalfOfAll` flags to assess privilege level. + - If `offline_access` or `Mail.Read` was granted, consider potential data exposure. + - Cross-reference affected `Target` objects with known business-critical assets or data owners. + +- **Correlate additional telemetry**: + - Review logs from Defender for Cloud Apps (MCAS), Microsoft Purview, or other DLP tooling for unusual access patterns. + - Search for `AppId` across your tenant to determine how widely it's used. + +### False positive analysis + +- Not all consent grants are malicious. Verify if the app is business-approved, listed in your app catalog, or commonly used by users in that role or department. +- Consent reasons like `WindowsAzureActiveDirectoryIntegratedApp` could relate to integrated services, though these still require verification. + +### Response and remediation + +- **If the app is confirmed malicious**: + - Revoke OAuth consent using the [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-delete). + - Remove any related service principals from Entra ID. + - Block the app via the Conditional Access "Grant" control or Defender for Cloud Apps policies. + - Revoke refresh tokens and require reauthentication for affected users. + - Notify end-users and IT of the potential exposure. + - Activate your phishing or OAuth abuse response playbook. + +- **Prevent future misuse**: + - Enable the [Admin consent workflow](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) to restrict user-granted consent. + - Audit and reduce overprivileged applications in your environment. + - Consider using Defender for Cloud Apps OAuth app governance. + +""" +references = [ + "https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-analysis-and-best-practices", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps", + "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema", +] +risk_score = 47 +rule_id = "0c3c80de-08c2-11f0-bd11-f661ea17fbcc" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "o365.audit" + and o365.audit.Actor.Type: 5 + and event.action: "Consent to application." + and event.outcome: "success" + and o365.audit.Target.Type: (0 or 2 or 3 or 9 or 10) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "event.action", + "event.outcome", + "o365.audit.UserId", + "o365.audit.ObjectId", + "o365.audit.Actor.Type", + "o365.audit.Target.Type", + "o365.audit.ModifiedProperties.ConsentAction_Reason.NewValue", + "o365.audit.ExtendedProperties.additionalDetails", + "cloud.region" +] + +[rule.new_terms] +field = "new_terms_fields" +value = ["o365.audit.UserId", "o365.audit.ObjectId"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" + + diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 5069b3e6823..e4563d0d588 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/04/01" [rule] author = ["Elastic", "Austin Songer"] @@ -64,7 +64,7 @@ type = "query" query = ''' event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and -not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" +not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" ''' diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml new file mode 100644 index 00000000000..ced6c3ebd7f --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "sysmon_linux"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential privileged access activity. +This may indicate an attempt by the user to gain unauthorized access to sensitive or restricted parts of the system. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user" +name = "Spike in Privileged Command Execution by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Privileged Command Execution by a User + +Machine learning models are employed to monitor and analyze user behavior, specifically focusing on the execution of privileged commands. These models identify anomalies that may suggest unauthorized access attempts. Adversaries often exploit valid accounts to escalate privileges and access sensitive systems. The detection rule leverages ML to flag unusual spikes in command execution, indicating potential misuse of privileged access. + +### Possible investigation steps + +- Review the specific user account associated with the spike in privileged command execution to determine if the activity aligns with their typical behavior or job role. +- Analyze the timeline of the command execution spike to identify any patterns or specific times when the activity occurred, which may correlate with known maintenance windows or unusual access times. +- Cross-reference the commands executed with known privileged command lists to assess whether the commands are typical for the user's role or indicative of potential misuse. +- Check for any recent changes in the user's access rights or group memberships that might explain the increase in privileged command execution. +- Investigate any recent login activity for the user, including source IP addresses and devices, to identify any anomalies or unauthorized access attempts. +- Review any associated alerts or logs for the same user or system around the time of the spike to gather additional context or corroborating evidence of potential unauthorized access. + +### False positive analysis + +- Routine administrative tasks by IT staff may trigger the rule. To manage this, create exceptions for known maintenance windows or specific user accounts that regularly perform these tasks. +- Automated scripts or scheduled jobs that execute privileged commands can be mistaken for anomalies. Identify and whitelist these scripts or jobs to prevent false alerts. +- Users with newly assigned roles that require elevated privileges might cause a temporary spike in command execution. Monitor these users initially and adjust the model's sensitivity or add exceptions as needed. +- Software updates or installations that require elevated permissions can lead to false positives. Document these events and exclude them from the anomaly detection criteria. +- Training or onboarding sessions where users are learning to use new systems with privileged access can result in increased command execution. Temporarily adjust thresholds or exclude these users during the training period. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further execution of privileged commands. This can be done by disabling the account or changing its password. +- Review recent privileged command execution logs to identify any unauthorized or suspicious activities performed by the user. Focus on commands that could alter system configurations or access sensitive data. +- Conduct a thorough investigation to determine if the user's credentials have been compromised. This may involve checking for signs of phishing attacks or unauthorized access from unusual locations or devices. +- If unauthorized access is confirmed, reset the affected user's credentials and any other accounts that may have been accessed using the compromised credentials. +- Notify the security team and relevant stakeholders about the incident, providing details of the detected anomaly and actions taken so far. +- Implement additional monitoring on the affected systems and user accounts to detect any further suspicious activities or attempts to regain unauthorized access. +- Review and update access controls and permissions to ensure that users have the minimum necessary privileges, reducing the risk of privilege escalation in the future.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml new file mode 100644 index 00000000000..b2e61a46787 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "sysmon_linux"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user, suggesting possible privileged access activity through command lines. +High entropy often indicates that the commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged access. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user" +name = "High Command Line Entropy Detected for Privileged Commands" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "0cbbb5e0-f93a-47fe-ab72-8213366c38f1" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating High Command Line Entropy Detected for Privileged Commands + +Machine learning models analyze command line inputs to identify high entropy, which may indicate obfuscation or complexity in privileged commands. Adversaries exploit this by using intricate or encoded commands to mask unauthorized activities. The detection rule leverages this analysis to flag potential privilege escalation attempts, aiding in early threat identification and response. + +### Possible investigation steps + +- Review the command line inputs flagged by the alert to identify any patterns or specific obfuscation techniques used. +- Cross-reference the user account associated with the alert against known valid accounts and recent access logs to determine if the activity aligns with expected behavior. +- Analyze the context of the commands executed, including the time of execution and the systems targeted, to assess the potential impact and scope of the activity. +- Check for any recent changes in user privileges or roles that might explain the execution of privileged commands. +- Investigate any related alerts or logs that might provide additional context or corroborate the suspicious activity, such as failed login attempts or unusual network connections. +- Consult with the user or relevant personnel to verify if the commands were part of legitimate administrative tasks or if they indicate unauthorized access. + +### False positive analysis + +- Legitimate administrative scripts may have high entropy due to complex or encoded commands. Review and whitelist these scripts to prevent unnecessary alerts. +- Automated deployment tools often use obfuscated commands for security reasons. Identify and exclude these tools from the rule to reduce false positives. +- Security software updates might execute encoded commands as part of their process. Monitor and create exceptions for these updates to avoid misclassification. +- Developers and IT staff may use complex command lines for testing or debugging. Establish a baseline of normal activity for these users and adjust the rule accordingly. +- Scheduled tasks or cron jobs with encoded commands can trigger alerts. Document and exclude these tasks if they are verified as non-threatening. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Review and terminate any suspicious or unauthorized processes running under privileged accounts on the affected system. +- Reset passwords for all privileged accounts involved, ensuring they meet strong password policies to prevent unauthorized access. +- Conduct a thorough audit of recent privileged command executions to identify any unauthorized changes or data access, and revert any malicious modifications. +- Implement additional monitoring on the affected system and related accounts to detect any further suspicious activities. +- Escalate the incident to the security operations center (SOC) for a comprehensive investigation and to determine if other systems are affected. +- Update and reinforce endpoint protection measures to detect and block similar obfuscation or high-entropy command line activities in the future.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml new file mode 100644 index 00000000000..05b61e3f97c --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -0,0 +1,100 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "sysmon_linux"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential privileged access activity. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_linux_rare_process_executed_by_user" +name = "Unusual Process Detected for Privileged Commands by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "5eac16ab-6d4f-427b-9715-f33e1b745fc7" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Detected for Privileged Commands by a User + +Machine learning models are employed to identify anomalies in process execution, particularly those involving privileged commands. Adversaries may exploit legitimate user accounts to execute unauthorized privileged actions, aiming for privilege escalation. This detection rule leverages ML to flag atypical processes, indicating potential misuse of elevated access, thus aiding in early threat identification. + +### Possible investigation steps + +- Review the specific user account associated with the alert to determine if the account has a history of executing privileged commands or if this is an anomaly. +- Examine the process details, including the command line arguments and the parent process, to identify if the process is legitimate or potentially malicious. +- Check the timestamp of the process execution to correlate with any other suspicious activities or alerts that occurred around the same time. +- Investigate the source IP address or host from which the command was executed to verify if it is a known and trusted location for the user. +- Look into recent authentication logs for the user account to identify any unusual login patterns or access from unfamiliar devices. +- Assess the user's role and permissions to determine if the execution of such privileged commands aligns with their job responsibilities. + +### False positive analysis + +- Routine administrative tasks by IT staff may trigger alerts. Review and whitelist known administrative processes that are regularly executed by trusted personnel. +- Automated scripts or scheduled tasks that perform privileged operations can be flagged. Identify and exclude these scripts if they are verified as part of normal operations. +- Software updates or installations that require elevated privileges might be detected. Ensure that these processes are documented and excluded if they are part of standard maintenance procedures. +- Development or testing environments where privileged commands are frequently used for legitimate purposes can cause false positives. Consider creating exceptions for these environments after thorough validation. +- Temporary elevated access granted for specific projects or tasks can lead to alerts. Monitor and document these instances, and adjust the detection rule to accommodate such temporary changes. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further unauthorized privileged actions. This can be done by disabling the account or changing its password. +- Review and terminate any suspicious processes or sessions initiated by the user account to contain potential malicious activity. +- Conduct a thorough audit of recent privileged commands executed by the user to identify any unauthorized changes or actions that need to be reversed. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or accounts have been compromised. +- Implement additional monitoring on the affected system and user account to detect any further anomalous behavior or attempts at privilege escalation. +- Review and update access controls and permissions for the affected user account to ensure they align with the principle of least privilege. +- Document the incident, including actions taken and lessons learned, to improve response strategies and prevent recurrence.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml new file mode 100644 index 00000000000..c482bfc2713 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -0,0 +1,105 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected an unusually high number of active concurrent sessions initiated by a user, indicating potential privileged access activity. +A sudden surge in concurrent active sessions by a user may indicate an attempt to abuse valid credentials for privilege escalation or maintain persistence. +Adversaries might be leveraging multiple sessions to execute privileged operations, evade detection, or perform unauthorized actions across different systems. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user" +name = "Unusual Spike in Concurrent Active Sessions by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "a300dea6-e228-40e1-9123-a339e207378b" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Spike in Concurrent Active Sessions by a User + +The detection of unusual spikes in concurrent active sessions leverages machine learning to identify anomalies in user behavior, particularly those suggesting privilege misuse. Adversaries may exploit valid credentials to initiate multiple sessions, aiming to escalate privileges or evade detection. This rule identifies such anomalies, flagging potential unauthorized access or privilege escalation attempts. + +### Possible investigation steps + +- Review the user's recent activity logs to identify any unusual patterns or deviations from their typical behavior, focusing on the timestamps and systems accessed during the spike in concurrent sessions. +- Check for any recent changes in the user's access privileges or roles that might explain the increase in session activity, ensuring that these changes were authorized and documented. +- Investigate the source IP addresses and geolocations associated with the concurrent sessions to determine if they align with the user's known locations or if they suggest potential unauthorized access. +- Analyze the specific actions performed during the concurrent sessions to identify any attempts at privilege escalation or unauthorized access to sensitive systems or data. +- Correlate the user's session activity with any other security alerts or incidents to assess if this behavior is part of a larger pattern of suspicious activity. + +### False positive analysis + +- High-volume legitimate activities such as system updates or batch processing can trigger false positives. Exclude these activities by identifying and whitelisting known processes or users involved in such operations. +- Users with roles that require multiple concurrent sessions, like system administrators or developers, may naturally exhibit this behavior. Create exceptions for these roles by defining baseline session patterns and adjusting thresholds accordingly. +- Automated scripts or tools that require multiple logins for monitoring or maintenance tasks can be mistaken for suspicious activity. Document and exclude these scripts by associating them with specific user accounts or service accounts. +- Temporary spikes due to legitimate business needs, such as end-of-quarter financial processing, can be misinterpreted. Implement a process to temporarily adjust detection parameters during known high-activity periods. +- Shared accounts used by multiple team members can lead to an increase in concurrent sessions. Encourage the use of individual accounts and implement monitoring to differentiate between shared and individual account activities. + +### Response and remediation + +- Immediately isolate the user account showing unusual concurrent session activity to prevent further unauthorized access or privilege escalation. +- Conduct a thorough review of the affected systems and sessions to identify any unauthorized changes or actions performed during the spike in activity. +- Reset the credentials of the compromised user account and enforce a password change policy to ensure the account is secured. +- Analyze logs and session data to determine the source of the unauthorized access, identifying any potential entry points or vulnerabilities exploited. +- Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures or incident response actions. +- Implement additional monitoring on the affected systems and user accounts to detect any further suspicious activity or attempts to regain access. +- Review and update access controls and permissions to ensure that only authorized users have the necessary privileges, reducing the risk of future privilege escalation attempts.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml new file mode 100644 index 00000000000..f46f70d0cd6 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Okta from an uncommon device, indicating potential privileged access activity. +This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_rare_host_name_by_user" +name = "Unusual Host Name for Okta Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Host Name for Okta Privileged Operations Detected + +Okta is a widely used identity management service that facilitates secure user authentication and access control. Adversaries may exploit Okta by using stolen credentials or unauthorized devices to perform privileged operations, potentially leading to privilege escalation. The detection rule leverages machine learning to identify anomalies in host names associated with privileged actions, flagging unusual device usage that may indicate compromised accounts or insider threats. + +### Possible investigation steps + +- Review the alert details to identify the specific user and host name involved in the unusual activity. +- Check the user's recent login history and device usage patterns in Okta to determine if the host name has been used before or if it is indeed uncommon. +- Investigate the geographical location and IP address associated with the unusual host name to assess if it aligns with the user's typical access patterns. +- Examine any recent changes to the user's account, such as password resets or modifications to multi-factor authentication settings, to identify potential signs of compromise. +- Correlate the alert with other security logs and alerts to identify any related suspicious activities or patterns that could indicate a broader attack or insider threat. +- Contact the user to verify if they recognize the device and host name, and if they were performing the privileged operations at the time of the alert. +- If unauthorized access is confirmed, follow incident response procedures to secure the account, such as resetting credentials and reviewing access permissions. + +### False positive analysis + +- Users accessing Okta from new or temporary devices may trigger false positives. Regularly update the list of approved devices to include these new devices if they are legitimate. +- Employees traveling or working remotely might use different devices or networks, causing alerts. Implement a process to verify and whitelist these devices when travel or remote work is expected. +- IT staff performing legitimate administrative tasks from shared or uncommon devices can be mistaken for threats. Maintain a log of such activities and cross-reference with alerts to identify and exclude these benign actions. +- Changes in device naming conventions or system upgrades can result in unusual host names. Ensure that any planned changes are communicated and documented to adjust the detection parameters accordingly. +- Regularly review and refine the machine learning model's training data to minimize false positives by incorporating feedback from security teams on legitimate activities that were incorrectly flagged. + +### Response and remediation + +- Immediately isolate the device associated with the unusual host name from the network to prevent further unauthorized access or potential lateral movement. +- Revoke any active sessions and reset the credentials for the affected Okta account to prevent further unauthorized access. +- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or access. +- Notify the security operations team and relevant stakeholders about the potential compromise for further investigation and monitoring. +- Implement additional monitoring on the affected account and similar privileged accounts to detect any further suspicious activities. +- Review and update access controls and policies to ensure that only authorized devices can perform privileged operations in Okta. +- Consider enabling multi-factor authentication (MFA) for all privileged accounts to add an additional layer of security against unauthorized access.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml new file mode 100644 index 00000000000..2d66b9d679c --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Okta from an uncommon geographical location, indicating potential privileged access activity. +This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_rare_region_name_by_user" +name = "Unusual Region Name for Okta Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Region Name for Okta Privileged Operations Detected + +Okta is a widely used identity management service that controls access to applications and data. Adversaries may exploit stolen credentials to perform privileged operations from unusual locations, bypassing security measures. The detection rule leverages machine learning to identify anomalies in user activity, such as access from uncommon regions, indicating potential unauthorized access or privilege escalation attempts. + +### Possible investigation steps + +- Review the alert details to identify the user account involved and the specific unusual region from which the privileged operations were detected. +- Check the user's recent login history and activity logs in Okta to determine if there are other instances of access from uncommon regions or any other suspicious activities. +- Verify with the user or their manager whether the access from the unusual region was expected or authorized, and if the user is currently traveling or using a VPN. +- Investigate any recent changes to the user's account, such as password resets or modifications to multi-factor authentication settings, to identify potential signs of compromise. +- Correlate the detected activity with other security logs and alerts to identify any related incidents or patterns that might indicate a broader attack or compromise. +- Assess the risk and impact of the detected activity by determining the specific privileged operations performed and whether any sensitive data or systems were accessed. +- If unauthorized access is confirmed, follow the organization's incident response procedures to contain and remediate the threat, including resetting the user's credentials and reviewing access permissions. + +### False positive analysis + +- Users traveling for business may trigger false positives if they access Okta from uncommon regions. To manage this, create exceptions for users with known travel patterns by updating their profiles with expected travel locations. +- Remote employees working from different geographical locations than usual can cause false alerts. Implement a process to regularly update the list of approved remote work locations for these users. +- Employees using VPNs that route through different countries might be flagged. Identify and whitelist common VPN exit nodes used by your organization to prevent these false positives. +- Temporary assignments or projects in different regions can lead to alerts. Establish a communication protocol for employees to notify the security team of such assignments, allowing for temporary exceptions to be made. +- Consider time-based analysis to differentiate between legitimate access during business hours and suspicious activity at unusual times, reducing false positives from legitimate users accessing Okta from uncommon regions. + +### Response and remediation + +- Immediately isolate the affected user account by disabling it to prevent further unauthorized access or privilege escalation. +- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or access. +- Reset the password for the compromised account and enforce multi-factor authentication (MFA) to enhance security. +- Notify the security team and relevant stakeholders about the incident for awareness and further investigation. +- Review and update access controls and permissions for the affected account to ensure they align with the principle of least privilege. +- Monitor for any additional suspicious activity across other accounts and systems to identify potential lateral movement or further compromise. +- Document the incident details and response actions taken for future reference and to improve incident response processes.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml new file mode 100644 index 00000000000..1583382c4af --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -0,0 +1,100 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity. +This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_rare_source_ip_by_user" +name = "Unusual Source IP for Okta Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "fbb10f1e-77cb-42f9-994e-5da17fc3fc15" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Source IP for Okta Privileged Operations Detected + +Okta is a widely used identity management service that controls access to applications and data. Adversaries may exploit Okta by using stolen credentials to perform privileged operations from unfamiliar IP addresses, indicating potential misuse or compromise. The detection rule leverages machine learning to identify deviations in IP usage patterns, flagging unusual access attempts that could signify privilege escalation or account compromise. + +### Possible investigation steps + +- Review the source IP address flagged by the alert to determine its geolocation and assess if it aligns with the user's typical access patterns or known locations. +- Check the Okta logs for the specific user account to identify any other recent activities from the same IP address or any other unusual IP addresses. +- Investigate the timing and nature of the privileged operations performed to determine if they align with the user's normal behavior or job responsibilities. +- Correlate the flagged IP address with any known threat intelligence feeds to check for any history of malicious activity associated with it. +- Contact the user to verify if they were aware of the access attempt and if they have recently used a new network location or VPN service. +- Examine any recent changes to the user's account settings or permissions that could indicate unauthorized modifications. + +### False positive analysis + +- Employees traveling or working remotely may trigger alerts due to accessing Okta from new IP addresses. To manage this, maintain a list of known IP ranges for remote work and travel, and configure exceptions for these ranges. +- Use of VPNs or proxy services can result in access from unfamiliar IPs. Regularly update the list of approved VPN or proxy IP addresses and exclude them from triggering alerts. +- Changes in corporate network infrastructure, such as new IP allocations, can cause false positives. Ensure that any changes in network configurations are communicated to the security team to update the detection rule's exceptions. +- Scheduled maintenance or testing activities by IT staff might appear as unusual access. Document and whitelist IP addresses used during these activities to prevent unnecessary alerts. +- Third-party integrations or services that access Okta on behalf of users can be mistaken for suspicious activity. Identify and whitelist these services' IP addresses to avoid false positives. + +### Response and remediation + +- Immediately isolate the affected user account by temporarily disabling it to prevent further unauthorized access. +- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or data access. +- Reset the password for the compromised account and enforce multi-factor authentication (MFA) to enhance security. +- Notify the security team and relevant stakeholders about the potential compromise for further investigation and monitoring. +- Review and update access logs to ensure all unusual IP addresses are flagged and monitored for any future access attempts. +- Implement network-based restrictions to block the identified unusual IP address from accessing the Okta environment. +- Conduct a post-incident analysis to identify the root cause and update security policies and procedures to prevent similar incidents in the future.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml new file mode 100644 index 00000000000..f9b0152d19f --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -0,0 +1,110 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating potential privileged access activity. +Threat actors might be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement within an organization’s environment. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes" +name = "Spike in Group Application Assignment Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "3278313c-d6cd-4d49-aa24-644e1da6623c" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Group Application Assignment Change Events + +In modern environments, identity and access management systems like Okta manage user access to applications. Adversaries may exploit these systems by altering group application assignments to gain unauthorized access or escalate privileges. The detection rule leverages machine learning to identify unusual spikes in these changes, signaling potential misuse and enabling timely investigation of privilege escalation activities. + +### Possible investigation steps + +- Review the specific group application assignment change events that triggered the alert to identify which groups and applications were involved. +- Analyze the timeline of the changes to determine if there is a pattern or specific time frame when the spike occurred. +- Investigate the user accounts associated with the changes to assess if they have a history of suspicious activity or if they belong to high-risk roles. +- Check for any recent changes in group membership or application access policies that could explain the spike in assignment changes. +- Correlate the events with other security alerts or logs to identify any concurrent suspicious activities, such as failed login attempts or unusual access patterns. +- Consult with the IT or security team to verify if there were any legitimate administrative activities or changes that could have caused the spike. + +### False positive analysis + +- Routine administrative changes in group application assignments can trigger false positives. Regularly review and document these changes to differentiate them from suspicious activities. +- Automated processes or scripts that frequently update group assignments may cause spikes. Identify and whitelist these processes to prevent unnecessary alerts. +- Organizational restructuring or onboarding/offboarding activities can lead to increased group assignment changes. Temporarily adjust the detection thresholds or exclude these events during known periods of high activity. +- Changes related to application updates or migrations might be flagged. Coordinate with IT teams to schedule these changes and exclude them from monitoring during the update window. +- Frequent changes by trusted users or administrators can be excluded by creating exceptions for specific user accounts or roles, ensuring that only unexpected changes trigger alerts. + +### Response and remediation + +- Immediately isolate affected user accounts and groups to prevent further unauthorized access or privilege escalation. +- Revert any unauthorized group application assignments to their previous state to mitigate potential misuse. +- Conduct a thorough review of recent changes in group application assignments to identify any additional unauthorized modifications. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or accounts have been compromised. +- Implement additional monitoring on the affected accounts and groups to detect any further suspicious activity. +- Review and update access controls and group assignment policies to prevent similar unauthorized changes in the future. +- Coordinate with the IT and security teams to ensure that all affected systems and applications are patched and secured against known vulnerabilities.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml new file mode 100644 index 00000000000..d8e6ac20486 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -0,0 +1,105 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privileged access activity. +Adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes" +name = "Spike in Group Lifecycle Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Group Lifecycle Change Events + +In identity management systems like Okta, group lifecycle changes are crucial for managing user access and permissions. Adversaries may exploit these changes to escalate privileges or maintain unauthorized access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse. By focusing on privilege escalation tactics, it helps security analysts pinpoint and investigate suspicious activities. + +### Possible investigation steps + +- Review the specific group lifecycle change events that triggered the alert to identify which groups were altered and the nature of the changes. +- Examine the user accounts associated with the changes to determine if they have a history of suspicious activity or if they have recently been granted elevated privileges. +- Check the timestamps of the group changes to see if they coincide with other unusual activities or known attack patterns within the organization. +- Investigate any recent access requests or approvals related to the affected groups to ensure they were legitimate and authorized. +- Correlate the group changes with other security alerts or logs to identify potential lateral movement or privilege escalation attempts by adversaries. +- Assess the current membership of the affected groups to ensure no unauthorized users have been added or legitimate users removed. + +### False positive analysis + +- Routine administrative changes in group memberships can trigger false positives. Security teams should identify and whitelist these regular activities to prevent unnecessary alerts. +- Automated processes or scripts that modify group structures for legitimate reasons may cause spikes. Exclude these known processes by creating exceptions in the detection rule. +- Large-scale onboarding or offboarding events can lead to a temporary increase in group lifecycle changes. Coordinate with HR or relevant departments to anticipate these events and adjust monitoring thresholds accordingly. +- Changes due to system integrations or updates might be misinterpreted as suspicious. Document and exclude these events by maintaining an updated list of integration activities. +- Regular audits or compliance checks that involve group modifications should be recognized and filtered out to avoid false alarms. + +### Response and remediation + +- Immediately isolate affected user accounts and groups to prevent further unauthorized access or privilege escalation. This can be done by temporarily disabling accounts or removing them from critical groups. +- Conduct a thorough review of recent group lifecycle changes to identify unauthorized modifications. Revert any unauthorized changes to restore the original group structures and permissions. +- Implement additional monitoring on the affected accounts and groups to detect any further suspicious activities. This includes setting up alerts for any new group changes or access attempts. +- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or persistence mechanisms used by the adversary. +- Review and update access controls and group management policies to ensure they align with the principle of least privilege, minimizing the risk of privilege escalation. +- Coordinate with the IT and security teams to apply patches or updates to any vulnerabilities identified during the investigation that may have been exploited for privilege escalation. +- Document the incident, including all actions taken, and conduct a post-incident review to identify lessons learned and improve future response strategies.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml new file mode 100644 index 00000000000..55ea9e30fad --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -0,0 +1,105 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged access activity. +Attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, potentially leading to unauthorized actions or data breaches. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_membership_changes" +name = "Spike in Group Membership Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "138520d2-11ff-4288-a80e-a45b36dca4b1" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Group Membership Events + +In modern IT environments, group membership management is crucial for controlling access to resources. Adversaries may exploit this by adding accounts to privileged groups, thereby escalating their access rights. The detection rule leverages machine learning to identify unusual spikes in group membership events, signaling potential unauthorized access attempts. This proactive approach helps in mitigating risks associated with privilege escalation. + +### Possible investigation steps + +- Review the specific Okta group membership events that triggered the alert to identify which accounts were added to privileged groups. +- Cross-reference the accounts added with known user roles and responsibilities to determine if the changes align with expected access patterns. +- Check recent activity logs for the accounts added to privileged groups to identify any suspicious or unauthorized actions following the group membership change. +- Investigate the source of the group membership changes, including the user or system that initiated the changes, to assess if it was a legitimate administrative action. +- Analyze historical data for similar spikes in group membership events to determine if this is part of a recurring pattern or an isolated incident. +- Consult with the IT or security team to verify if there were any recent changes in access policies or group management procedures that could explain the spike. + +### False positive analysis + +- Routine administrative tasks may trigger spikes in group membership events, such as scheduled updates or onboarding processes. Users can create exceptions for these known activities to prevent false alerts. +- Automated scripts or tools that manage group memberships for legitimate purposes might cause false positives. Identifying and excluding these scripts from monitoring can reduce unnecessary alerts. +- Changes in group membership due to organizational restructuring or policy updates can appear as spikes. Documenting these changes and adjusting the detection parameters accordingly can help mitigate false positives. +- Frequent legitimate access requests to privileged groups during specific business cycles, like end-of-quarter financial reviews, can be excluded by setting time-based exceptions. +- Regular audits or compliance checks that involve temporary access to privileged groups should be accounted for by creating temporary exceptions during these periods. + +### Response and remediation + +- Immediately isolate the affected accounts by removing them from any privileged groups to prevent further unauthorized access. +- Conduct a thorough review of recent group membership changes in Okta to identify any other unauthorized additions and remove them as necessary. +- Reset passwords and enforce multi-factor authentication for the affected accounts to secure them against further compromise. +- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. +- Implement additional monitoring on the affected accounts and privileged groups to detect any further suspicious activity. +- Review and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future unauthorized changes. +- Document the incident and response actions taken, and conduct a post-incident review to identify any gaps in the current security posture and improve future response efforts.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml new file mode 100644 index 00000000000..ddf6c5d19e7 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -0,0 +1,110 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity. +Attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes" +name = "Spike in Group Privilege Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "02b4420d-eda2-4529-9e46-4a60eccb7e2d" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Group Privilege Change Events + +In environments using Okta, group privilege changes are crucial for managing access. Adversaries may exploit this by adding themselves to privileged groups, gaining unauthorized access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential privilege escalation attempts, thus aiding in early threat detection and response. + +### Possible investigation steps + +- Review the specific group privilege change events identified by the machine learning job to determine which accounts were added to privileged groups. +- Cross-reference the accounts involved in the privilege changes with recent login activity to identify any unusual or suspicious access patterns. +- Check the history of privilege changes for the affected groups to see if there is a pattern of unauthorized access or if this is an isolated incident. +- Investigate the source IP addresses and locations associated with the privilege change events to identify any anomalies or unexpected geolocations. +- Examine any recent changes to the accounts involved, such as password resets or multi-factor authentication (MFA) modifications, to assess if they have been compromised. +- Collaborate with the affected users or their managers to verify if the privilege changes were authorized and legitimate. + +### False positive analysis + +- Routine administrative tasks may trigger spikes in group privilege changes. Regularly scheduled audits or updates to group memberships should be documented and excluded from alerts. +- Automated scripts or tools that manage user access can cause frequent changes. Identify these scripts and create exceptions for their activity to prevent false positives. +- Organizational restructuring or mergers often lead to bulk updates in group privileges. During these periods, temporarily adjust the sensitivity of the detection rule or whitelist specific activities. +- Onboarding or offboarding processes can result in a high volume of legitimate group changes. Coordinate with HR and IT to anticipate these events and adjust monitoring accordingly. +- Changes in security policies or compliance requirements might necessitate widespread privilege adjustments. Ensure these policy-driven changes are communicated to the security team to avoid unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected accounts by removing them from any high-privilege groups to prevent further unauthorized access. +- Conduct a thorough review of recent group membership changes in Okta to identify any other unauthorized privilege escalations. +- Reset passwords and enforce multi-factor authentication for the affected accounts to secure them against further compromise. +- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation if further suspicious activity is detected. +- Implement additional monitoring on the affected accounts and privileged groups to detect any further unauthorized changes or access attempts. +- Review and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future privilege escalation. +- Document the incident, including all actions taken, to improve response strategies and inform future security measures.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml new file mode 100644 index 00000000000..6ab4c38701e --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -0,0 +1,104 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity. +Threat actors may manipulate user accounts to gain higher access rights or persist within the environment. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes" +name = "Spike in User Lifecycle Management Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "178770e0-5c20-4246-b430-e216a2888b23" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in User Lifecycle Management Change Events + +User lifecycle management in environments like Okta involves creating, modifying, and deleting user accounts. Adversaries may exploit this by manipulating accounts to escalate privileges or maintain access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse. By focusing on anomalies, it aids in early detection of privilege escalation tactics. + +### Possible investigation steps + +- Review the specific user accounts involved in the lifecycle management change events to identify any patterns or anomalies, such as multiple changes in a short period or changes made by unusual sources. +- Check the timestamps of the change events to determine if they align with normal business hours or if they occurred during unusual times, which might indicate suspicious activity. +- Investigate the source IP addresses and locations associated with the change events to identify any unusual or unauthorized access points. +- Examine the types of changes made to the user accounts, such as privilege escalations or role modifications, to assess if they align with legitimate business needs. +- Cross-reference the user accounts involved with recent security alerts or incidents to determine if they have been previously flagged for suspicious activity. +- Consult with the account owners or relevant department heads to verify if the changes were authorized and necessary for business operations. + +### False positive analysis + +- Routine administrative tasks such as bulk user account updates or scheduled maintenance can trigger spikes in user lifecycle management events. To manage this, create exceptions for known maintenance windows or bulk operations. +- Automated processes or scripts that regularly modify user accounts may cause false positives. Identify these processes and exclude them from the detection rule to prevent unnecessary alerts. +- Onboarding or offboarding periods with high user account activity can lead to spikes. Adjust the detection thresholds temporarily during these periods or exclude specific user groups involved in these activities. +- Integration with third-party applications that frequently update user attributes might result in false positives. Review and whitelist these applications to reduce noise in the detection system. + +### Response and remediation + +- Immediately isolate the affected user accounts to prevent further unauthorized access or privilege escalation. This can be done by disabling the accounts or changing their passwords. +- Review and revoke any unauthorized permissions or roles that were assigned during the spike in user lifecycle management change events. Ensure that only legitimate access rights are restored. +- Conduct a thorough audit of recent user account changes to identify any additional accounts that may have been manipulated. Pay special attention to accounts with elevated privileges. +- Notify the security team and relevant stakeholders about the incident to ensure awareness and coordination for further investigation and response. +- Implement additional monitoring on the affected accounts and related systems to detect any further suspicious activity or attempts to regain unauthorized access. +- Escalate the incident to higher-level security management if the scope of the breach is extensive or if sensitive data may have been compromised. +- Review and update access management policies and procedures to prevent similar incidents in the future, ensuring that changes to user accounts are logged and regularly reviewed.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml new file mode 100644 index 00000000000..feb73369c88 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -0,0 +1,107 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a spike in group management events for a user, indicating potential privileged access activity. +The machine learning has flagged an abnormal rise in group management actions (such as adding or removing users from privileged groups), +which could point to an attempt to escalate privileges or unauthorized modifications to group memberships. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_group_management_events" +name = "Spike in Group Management Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "751b0329-7295-4682-b9c7-4473b99add69" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Group Management Events + +The detection of spikes in group management events leverages machine learning to monitor and identify unusual patterns in user activities related to group memberships. Adversaries may exploit this by adding or removing users from privileged groups to escalate privileges or alter access controls. The detection rule identifies these anomalies, flagging potential unauthorized modifications indicative of privilege escalation attempts. + +### Possible investigation steps + +- Review the specific user account associated with the spike in group management events to determine if the activity aligns with their typical behavior or role. +- Check the timeline of the group management events to identify any patterns or sequences that might suggest unauthorized access or privilege escalation attempts. +- Investigate the source IP addresses and devices used during the group management events to verify if they are consistent with the user's usual access points or if they indicate potential compromise. +- Examine recent changes to privileged groups, focusing on additions or removals of users, to assess if these modifications were authorized and necessary. +- Cross-reference the flagged events with any recent support tickets or change requests to confirm if the actions were legitimate and documented. +- Look for any other related alerts or anomalies in the same timeframe that might indicate a broader security incident or coordinated attack. + +### False positive analysis + +- Routine administrative tasks can trigger spikes in group management events, such as scheduled user onboarding or offboarding. To manage this, create exceptions for known periods of increased activity. +- Automated scripts or tools that manage group memberships might cause false positives. Identify these scripts and exclude their activities from the rule's monitoring. +- Changes in organizational structure, like department mergers, can lead to legitimate spikes. Document these changes and adjust the rule's sensitivity temporarily. +- Regular audits or compliance checks that involve group membership reviews may appear as anomalies. Schedule these activities and inform the monitoring team to prevent false alerts. +- High turnover rates in certain departments can result in frequent group changes. Monitor these departments separately and adjust thresholds accordingly. + +### Response and remediation + +- Immediately isolate the affected user account by disabling it to prevent further unauthorized group management activities. +- Review and audit recent changes to group memberships, focusing on privileged groups, to identify any unauthorized additions or removals. +- Revert any unauthorized changes to group memberships to restore the intended access controls. +- Conduct a thorough investigation to determine the source of the anomaly, including checking for compromised credentials or insider threats. +- Reset the password for the affected user account and enforce multi-factor authentication to enhance security. +- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. +- Implement additional monitoring on the affected account and related privileged groups to detect any further suspicious activities.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml new file mode 100644 index 00000000000..2021fe615c4 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -0,0 +1,104 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access activity. +A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, possibly for lateral movement or privilege escalation. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_special_logon_events" +name = "Spike in Special Logon Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "097ef0b8-fb21-4e45-ad89-d81666349c6a" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Special Logon Events + +Special logon events are crucial for tracking privileged access, often indicating administrative actions. Adversaries exploit these by gaining elevated access to perform unauthorized activities, such as lateral movement or privilege escalation. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse and enabling timely investigation of suspicious privileged access activities. + +### Possible investigation steps + +- Review the user account associated with the spike in special logon events to determine if the account is expected to have privileged access. +- Check the time and frequency of the special logon events to identify any unusual patterns or times that deviate from the user's normal behavior. +- Investigate the source IP addresses and devices from which the special logon events originated to verify if they are known and trusted. +- Examine recent changes or activities performed by the user account to identify any unauthorized or suspicious actions that may indicate privilege escalation or lateral movement. +- Correlate the special logon events with other security alerts or logs, such as failed login attempts or changes in user permissions, to gather additional context and evidence of potential malicious activity. + +### False positive analysis + +- Regular administrative tasks by IT staff can trigger spikes in special logon events. To manage this, create exceptions for known administrative accounts that frequently perform legitimate privileged actions. +- Scheduled automated processes or scripts that require elevated access may cause false positives. Identify these processes and exclude them from the detection rule to prevent unnecessary alerts. +- Software updates or system maintenance activities often involve multiple privileged logons. Document these events and adjust the detection thresholds temporarily during known maintenance windows to reduce false positives. +- Users with roles that inherently require frequent privileged access, such as system administrators or security personnel, may trigger alerts. Maintain a list of such roles and apply exclusions where appropriate to avoid constant alerts for expected behavior. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further unauthorized access. Disable the account or change its credentials to stop any ongoing malicious activity. +- Conduct a thorough review of recent activities associated with the affected account to identify any unauthorized changes or access to sensitive systems and data. +- If lateral movement is suspected, isolate any systems accessed by the compromised account to prevent further spread of the threat. +- Escalate the incident to the security operations center (SOC) or incident response team for a detailed investigation and to determine the full scope of the breach. +- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to regain access. +- Review and update access controls and permissions to ensure that only necessary privileges are granted, reducing the risk of privilege escalation. +- Enhance detection capabilities by tuning existing monitoring tools to better identify similar spikes in special logon events, leveraging insights from the current incident.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml new file mode 100644 index 00000000000..a8bba788029 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -0,0 +1,106 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected an unusual increase in special privilege usage events, such as privileged operations and service calls, for a user, suggesting potential unauthorized privileged access. +A sudden spike in these events may indicate an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events" +name = "Spike in Special Privilege Use Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "6fb2280a-d91a-4e64-a97e-1332284d9391" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in Special Privilege Use Events + +Machine learning models monitor special privilege use, identifying anomalies that suggest unauthorized access. Adversaries exploit these privileges to escalate access, execute unauthorized actions, or maintain system persistence. The detection rule leverages ML to spot unusual spikes in privileged operations, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Review the user account associated with the spike in special privilege use events to determine if the activity aligns with their normal behavior or job role. +- Examine the specific privileged operations and service calls that were flagged to identify any unusual or unauthorized actions. +- Check for any recent changes in user permissions or group memberships that could explain the increase in privilege use. +- Investigate any corresponding logs or alerts around the same timeframe to identify potential indicators of compromise or related suspicious activities. +- Assess the system or application where the privilege escalation occurred for any signs of exploitation or unauthorized access attempts. +- Correlate the detected spike with known threat intelligence or recent security advisories to determine if it matches any known attack patterns or vulnerabilities. + +### False positive analysis + +- Routine administrative tasks by IT personnel can trigger false positives. Regularly review and whitelist known administrative accounts to prevent unnecessary alerts. +- Scheduled maintenance activities often involve elevated privileges. Document and exclude these activities from monitoring during known maintenance windows. +- Automated scripts or services that require elevated privileges may cause spikes. Identify and exclude these scripts or services from the rule to reduce false positives. +- Software updates or installations can lead to temporary spikes in privilege use. Coordinate with IT to recognize these events and adjust monitoring rules accordingly. +- Frequent legitimate use of privileged operations by certain users or roles should be analyzed. Establish a baseline for these users and adjust the detection threshold to accommodate their normal activity levels. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further unauthorized privileged operations. Disable the account or change its credentials to stop potential misuse. +- Conduct a thorough review of recent privileged operations and service calls associated with the user account to identify any unauthorized actions or changes made during the spike. +- Revoke any unnecessary privileges or access rights from the affected user account to minimize the risk of future exploitation. +- Implement additional monitoring on the affected system and user account to detect any further suspicious activities or attempts to regain unauthorized access. +- Escalate the incident to the security operations team for a deeper investigation into potential privilege escalation techniques used, referencing MITRE ATT&CK technique T1068. +- Review and update access control policies and privilege management practices to ensure they align with the principle of least privilege, reducing the risk of similar incidents. +- Conduct a post-incident analysis to identify any gaps in detection or response and enhance the machine learning model's ability to detect similar threats in the future.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml new file mode 100644 index 00000000000..a358595a204 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -0,0 +1,106 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a spike in user account management events for a user, indicating potential privileged access activity. +This indicates an unusual increase in actions related to managing user accounts (such as creating, modifying, or deleting accounts), +which could be a sign of an attempt to escalate privileges or unauthorized activity involving account management. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_user_account_management_events" +name = "Spike in User Account Management Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "37cca4d4-92ab-4a33-a4f8-44a7a380ccda" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Spike in User Account Management Events + +The detection rule leverages machine learning to identify unusual spikes in user account management activities, such as account creation or modification, which may indicate privilege escalation attempts. Adversaries exploit these activities to gain unauthorized access or elevate privileges. By analyzing patterns and deviations from normal behavior, the rule helps detect potential misuse, enabling timely intervention. + +### Possible investigation steps + +- Review the specific user account(s) involved in the spike to determine if the activity aligns with their typical behavior or role within the organization. +- Examine the timestamps of the account management events to identify any patterns or anomalies, such as activity occurring outside of normal business hours. +- Check for any recent changes in user permissions or roles that could explain the spike in account management events. +- Investigate any associated IP addresses or devices used during the account management activities to determine if they are known and trusted within the organization. +- Look for any correlated alerts or logs that might indicate concurrent suspicious activities, such as failed login attempts or access to sensitive resources. +- Consult with the user or their manager to verify if the account management activities were authorized and legitimate. + +### False positive analysis + +- Routine administrative tasks can trigger spikes in user account management events. Regularly scheduled account audits or bulk updates by IT staff may appear as unusual activity. To manage this, create exceptions for known maintenance periods or specific administrative accounts. +- Automated scripts or tools used for user provisioning and de-provisioning can cause false positives. Identify these scripts and exclude their activity from the rule to prevent unnecessary alerts. +- Onboarding or offboarding processes that involve creating or deleting multiple user accounts in a short period can be mistaken for privilege escalation attempts. Document these processes and adjust the rule to recognize these patterns as normal behavior. +- Changes in organizational structure, such as mergers or departmental shifts, may lead to increased account management activities. Update the rule to accommodate these changes by temporarily adjusting thresholds or excluding specific user groups during transition periods. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further unauthorized access or privilege escalation. This can be done by disabling the account or changing its password. +- Review recent account management activities for the affected user to identify any unauthorized changes or suspicious patterns. This includes checking for new account creations, modifications, or deletions. +- Conduct a thorough audit of the affected system and network segment to identify any additional compromised accounts or systems. Look for signs of lateral movement or further exploitation attempts. +- Revert any unauthorized changes made to user accounts or system configurations to their original state, ensuring that no backdoors or unauthorized access points remain. +- Notify the security team and relevant stakeholders about the incident, providing them with details of the spike in user account management events and any identified malicious activities. +- Implement additional monitoring and alerting for the affected user account and related systems to detect any further suspicious activities promptly. +- Review and update access controls and user account management policies to prevent similar incidents in the future, ensuring that only authorized personnel have the necessary privileges.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml new file mode 100644 index 00000000000..f225527379e --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity. +This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_device_by_user" +name = "Unusual Host Name for Windows Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "2bca4fcd-5228-4472-9071-148903a31057" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Host Name for Windows Privileged Operations Detected + +Machine learning models analyze patterns of privileged operations in Windows environments to identify anomalies, such as access from uncommon devices. Adversaries may exploit stolen credentials or unauthorized devices to escalate privileges. This detection rule flags such anomalies, indicating potential threats like compromised accounts or insider attacks, by assessing deviations from typical host usage patterns. + +### Possible investigation steps + +- Review the alert details to identify the specific user and host involved in the unusual privileged operation. +- Check the historical login patterns for the user to determine if the host has been used previously or if this is a new occurrence. +- Investigate the host's identity and location to assess if it aligns with the user's typical access patterns or if it appears suspicious. +- Examine recent activity logs for the user and host to identify any other unusual or unauthorized actions that may indicate a broader compromise. +- Verify if there are any known vulnerabilities or security incidents associated with the host that could have facilitated unauthorized access. +- Contact the user to confirm whether they recognize the host and the privileged operations performed, ensuring to rule out legitimate use. + +### False positive analysis + +- Users accessing systems from new or temporary devices, such as during travel or remote work, may trigger false positives. Regularly update the list of approved devices for users who frequently change their access points. +- IT administrators performing maintenance or updates from different machines can be mistaken for suspicious activity. Implement a process to log and approve such activities in advance to prevent unnecessary alerts. +- Employees using virtual machines or remote desktop services might appear as accessing from uncommon devices. Ensure these environments are recognized and whitelisted if they are part of regular operations. +- Changes in network infrastructure, such as new IP addresses or subnets, can lead to false positives. Keep the machine learning model updated with the latest network configurations to minimize these alerts. +- Temporary use of shared devices in collaborative workspaces can trigger alerts. Establish a protocol for logging shared device usage to differentiate between legitimate and suspicious activities. + +### Response and remediation + +- Immediately isolate the affected device from the network to prevent further unauthorized access or lateral movement. +- Revoke or reset the credentials of the compromised account to prevent further misuse and unauthorized access. +- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or actions. +- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. +- Implement additional monitoring on the affected account and device to detect any further suspicious activities. +- Review and update access controls and permissions to ensure that only authorized devices and users can perform privileged operations. +- Consider implementing multi-factor authentication (MFA) for privileged accounts to enhance security and prevent unauthorized access.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml new file mode 100644 index 00000000000..473ff3e6b91 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -0,0 +1,121 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a user accessing an uncommon group name for privileged operations, indicating potential privileged access activity. +This indicates that a user has accessed a group name that is unusual for their typical operations, particularly for actions requiring elevated privileges. +This could point to an attempt to manipulate group memberships or escalate privileges on a system. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_group_name_by_user" +name = "Unusual Group Name Accessed by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Group Name Accessed by a User + +In IT environments, group names often define access levels and permissions. Adversaries may exploit this by accessing or altering uncommon group names to escalate privileges. The detection rule leverages machine learning to identify deviations from a user's typical access patterns, flagging unusual group name access as a potential indicator of privilege escalation attempts. This proactive approach helps in early detection of unauthorized access activities. + +### Possible investigation steps + +- Review the alert details to identify the specific user and the unusual group name accessed. Note the timestamp of the access for further context. +- Check the user's historical access patterns to determine if this group name access is indeed anomalous compared to their typical behavior. +- Investigate the permissions and roles associated with the unusual group name to assess the potential impact of the access. +- Examine recent changes to the user's account, such as password resets or modifications to account settings, which might indicate account compromise. +- Correlate this event with other security alerts or logs, such as login attempts from unusual locations or times, to identify potential indicators of compromise. +- Contact the user or their manager to verify if the access was legitimate and authorized, documenting any explanations provided. +- If unauthorized access is suspected, initiate a security incident response process to mitigate any potential threats and prevent further unauthorized access. + +### False positive analysis + +- Routine administrative tasks may trigger alerts if administrators access uncommon group names for legitimate system maintenance. To manage this, create exceptions for known administrative accounts performing regular tasks. +- Automated scripts or services that require access to various group names for operational purposes might be flagged. Identify these scripts and whitelist their activities to prevent false positives. +- Temporary project groups or newly created groups for specific tasks can appear unusual. Document and monitor these groups, and update the machine learning model to recognize them as non-threatening. +- Cross-departmental collaborations may involve users accessing group names outside their usual scope. Establish a process to review and approve such access, and adjust the detection rule to accommodate these scenarios. +- Changes in user roles or responsibilities can lead to access pattern deviations. Ensure that role changes are communicated to the security team to update access baselines accordingly. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further unauthorized access or privilege escalation. This can be done by disabling the account or changing its password. +- Review and audit the group membership changes associated with the unusual group name to identify any unauthorized modifications. Revert any unauthorized changes to restore the original group settings. +- Conduct a thorough investigation of the user's recent activities to identify any other suspicious actions or access patterns that may indicate further compromise. +- Notify the security team and relevant stakeholders about the potential privilege escalation attempt to ensure awareness and coordinated response efforts. +- Implement additional monitoring on the affected user account and the unusual group name to detect any further unauthorized access attempts. +- Review and update access control policies to ensure that only authorized users have access to sensitive group names and privileged operations. +- Consider implementing additional security measures, such as multi-factor authentication, for accessing sensitive group names to prevent unauthorized access in the future.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml new file mode 100644 index 00000000000..11e41389235 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -0,0 +1,106 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating potential privileged access activity. +This indicates that a user is performing operations requiring elevated privileges but is using a privilege type that is not typically seen in their baseline logs. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user" +name = "Unusual Privilege Type assigned to a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "27569131-560e-441e-b556-0b9180af3332" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Privilege Type assigned to a User + +In modern IT environments, privilege management is crucial for maintaining security. Adversaries may exploit uncommon privilege types to perform unauthorized actions, bypassing standard detection. The detection rule leverages machine learning to identify deviations from normal privilege usage patterns, flagging potential privilege escalation attempts. By analyzing user behavior against established baselines, it helps detect and mitigate unauthorized access risks. + +### Possible investigation steps + +- Review the user's recent activity logs to identify any unusual or unauthorized actions associated with the uncommon privilege type. +- Cross-reference the identified privilege type with the user's role and responsibilities to determine if the usage is justified or anomalous. +- Check for any recent changes in the user's account settings or privilege assignments that could explain the deviation from the baseline. +- Investigate any recent system or application changes that might have introduced new privilege types or altered existing ones. +- Consult with the user's manager or relevant department to verify if there was a legitimate need for the unusual privilege type usage. +- Analyze the timeline of events leading up to the alert to identify any potential indicators of compromise or privilege escalation attempts. + +### False positive analysis + +- Users with multiple roles may trigger false positives if they occasionally use privileges associated with less common roles. Regularly review and update role-based access controls to ensure they reflect current responsibilities. +- Temporary project assignments can lead to unusual privilege usage. Implement a process to document and approve temporary privilege changes, and exclude these documented cases from triggering alerts. +- System administrators or IT staff might use uncommon privileges during maintenance or troubleshooting. Establish a whitelist for known maintenance activities and exclude these from the detection rule. +- Automated scripts or applications that require elevated privileges might be flagged. Ensure these scripts are registered and their privilege usage is documented, then exclude them from the rule. +- New employees or contractors may initially use privileges that seem unusual. Monitor their activity closely during the onboarding period and adjust baselines as their normal usage patterns become clear. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further unauthorized access or privilege escalation. This can be done by disabling the account or changing its credentials. +- Review and revoke any unusual or unnecessary privileges assigned to the user account to ensure it aligns with their normal operational requirements. +- Conduct a thorough audit of recent activities performed by the user account to identify any unauthorized actions or data access that may have occurred. +- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure coordinated response efforts. +- Implement additional monitoring on the affected user account and similar accounts to detect any further suspicious activities or privilege misuse. +- Update and reinforce access control policies to prevent similar privilege escalation attempts, ensuring that privilege assignments are regularly reviewed and validated. +- Document the incident details, response actions taken, and lessons learned to improve future incident response and privilege management processes.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml new file mode 100644 index 00000000000..635df869726 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Windows from an uncommon geographical location, indicating potential privileged access activity. +This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_region_name_by_user" +name = "Unusual Region Name for Windows Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "d2703b82-f92c-4489-a4a7-62aa29a62542" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Region Name for Windows Privileged Operations Detected + +The detection leverages machine learning to identify privileged operations from atypical geographic locations, which may indicate compromised accounts or unauthorized access. Adversaries exploit this by using stolen credentials to perform privilege escalation. The rule flags such anomalies, aiding in early detection of potential security breaches. + +### Possible investigation steps + +- Review the alert details to identify the user account involved and the specific geographic location flagged as unusual. +- Check the user's recent login history and patterns to determine if the location is indeed uncommon for this user. +- Investigate any recent changes to the user's account, such as password resets or modifications to account permissions, that could indicate compromise. +- Correlate the alert with other security events or logs, such as VPN connections or remote access logs, to identify any unauthorized access attempts. +- Contact the user to verify if they were traveling or using a legitimate remote access method from the flagged location. +- Assess the risk by determining if the privileged operations performed align with the user's role and responsibilities within the organization. + +### False positive analysis + +- Users traveling for business or personal reasons may trigger alerts when accessing systems from uncommon locations. To manage this, create exceptions for known travel patterns or use a VPN to simulate access from a common location. +- Remote employees or contractors working from different regions might cause false positives. Regularly update the list of approved remote work locations to prevent unnecessary alerts. +- Use of cloud services or VPNs that route traffic through different geographic locations can lead to false positives. Implement a whitelist for known IP addresses associated with these services. +- Scheduled maintenance or administrative tasks performed by IT staff from different locations can be mistaken for unauthorized access. Document and schedule these activities to avoid triggering alerts. +- Employees using personal devices with location services disabled may appear to be accessing from unusual regions. Encourage the use of company-approved devices with location tracking enabled to ensure accurate detection. + +### Response and remediation + +- Immediately isolate the affected user account to prevent further unauthorized access. Disable the account temporarily until the investigation is complete. +- Review recent login activity and privileged operations performed by the affected account to identify any unauthorized changes or actions. +- Reset the password for the compromised account and enforce multi-factor authentication (MFA) to enhance security. +- Conduct a thorough review of the affected system and network for any signs of additional compromise or lateral movement by the attacker. +- Notify the security team and relevant stakeholders about the incident for awareness and further action if needed. +- Restore any unauthorized changes made during the incident from backups or logs, ensuring system integrity is maintained. +- Update security policies and access controls to prevent similar incidents, focusing on restricting privileged operations from uncommon geographic locations.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml new file mode 100644 index 00000000000..6f4313e1d35 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -0,0 +1,100 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" +updated_date = "2025/02/18" +min_stack_version = "8.18.0" +min_stack_comments = "New PAD integration only available starting at 8.18.0." + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Windows from an uncommon source IP, indicating potential privileged access activity. +This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_source_ip_by_user" +name = "Unusual Source IP for Windows Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "08be5599-3719-4bbd-8cbc-7e9cff556881" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide" +] +type = "machine_learning" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Source IP for Windows Privileged Operations Detected + +Machine learning models analyze network patterns to identify anomalies, such as privileged operations from uncommon IPs. Adversaries may exploit this by using compromised accounts or new network locations to escalate privileges. This detection rule leverages ML to flag such deviations, indicating potential misuse or compromise, aiding in early threat identification and response. + +### Possible investigation steps + +- Review the source IP address flagged by the alert to determine if it is associated with known or trusted locations, such as corporate offices or VPN endpoints. +- Check the user account involved in the alert for any recent changes or unusual activity, such as password resets, privilege changes, or login attempts from other uncommon locations. +- Analyze the timeline of the privileged operations performed to identify any patterns or sequences that may indicate malicious intent or unauthorized access. +- Correlate the alert with other security events or logs, such as firewall logs, VPN logs, or endpoint security alerts, to gather additional context about the source IP and user activity. +- Investigate any recent changes in network configurations or access policies that might explain the unusual source IP, such as new VPN configurations or changes in IP address allocations. + +### False positive analysis + +- Employees working remotely or traveling may trigger alerts due to accessing systems from new IP addresses. Regularly update the list of known IP addresses for remote workers to reduce false positives. +- Use of VPNs or proxy services can result in unusual IP addresses being flagged. Maintain a whitelist of IP addresses associated with approved VPN or proxy services. +- Scheduled maintenance or administrative tasks performed by IT staff from different network locations might be misidentified. Document and exclude these known activities from triggering alerts. +- Cloud service providers often use dynamic IP ranges that can appear unusual. Identify and whitelist IP ranges associated with trusted cloud services to prevent unnecessary alerts. +- Implement a review process for flagged events to quickly identify and dismiss benign activities, ensuring that only genuine threats are escalated for further investigation. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Verify the legitimacy of the source IP by cross-referencing with known IP addresses and geolocations associated with the user. If the IP is confirmed to be malicious, block it at the firewall and update threat intelligence feeds. +- Reset the credentials of the compromised account and enforce a password change for all accounts with similar access levels to prevent further unauthorized access. +- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or data access, and revert any malicious modifications. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or accounts have been compromised. +- Implement additional monitoring on the affected system and user account to detect any further suspicious activity, leveraging enhanced logging and alerting mechanisms. +- Review and update access controls and privilege management policies to ensure that only necessary privileges are granted, reducing the risk of privilege escalation in the future.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index d8058762e9d..24db21c141b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -20,6 +18,40 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_host" name = "Unusual Process Spawned by a Host" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Spawned by a Host + +The detection rule leverages machine learning to identify atypical processes on Windows systems, focusing on those that deviate from normal behavior. Adversaries often exploit legitimate system tools, known as LOLbins, to evade detection. This rule uses the ProblemChild ML model to flag processes that are both statistically unusual and potentially malicious, enhancing detection of stealthy attacks that bypass traditional methods. + +### Possible investigation steps + +- Review the process details flagged by the ProblemChild ML model, including the process name, path, and command line arguments, to understand its nature and potential purpose. +- Check the parent process of the flagged process to determine if it was spawned by a legitimate application or a known LOLbin, which might indicate a Living off the Land attack. +- Investigate the host's historical activity to assess whether this process or similar ones have been executed previously, focusing on any patterns of unusual behavior. +- Correlate the process activity with user logins and network connections to identify any suspicious user behavior or external communications that coincide with the process execution. +- Examine the system's security logs for any related alerts or anomalies around the time the process was detected, which might provide additional context or evidence of malicious activity. + +### False positive analysis + +- Routine administrative tasks may trigger false positives if they involve unusual processes or tools not commonly used on the host. Users can create exceptions for these known tasks to prevent unnecessary alerts. +- Software updates or installations can spawn processes that are atypical but benign. Identifying and excluding these processes during known maintenance windows can reduce false positives. +- Custom scripts or automation tools that mimic LOLbins behavior might be flagged. Users should document and whitelist these scripts if they are verified as safe and necessary for operations. +- Legitimate third-party applications that use system binaries in uncommon ways may be misclassified. Regularly review and update the list of approved applications to ensure they are not mistakenly flagged. +- Temporary spikes in unusual processes due to legitimate business activities, such as end-of-quarter reporting, can be managed by adjusting the detection thresholds or temporarily disabling the rule during these periods. + +### Response and remediation + +- Isolate the affected host from the network to prevent further spread or communication with potential command and control servers. +- Terminate the suspicious process identified by the ProblemChild ML model to halt any ongoing malicious activity. +- Conduct a thorough review of the process's parent and child processes to identify any additional malicious activity or persistence mechanisms. +- Remove any identified LOLbins or unauthorized tools used by the adversary from the system to prevent further exploitation. +- Restore the affected system from a known good backup if any system integrity issues are detected. +- Update endpoint protection and monitoring tools to ensure they can detect similar threats in the future, focusing on the specific techniques used in this incident. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -58,40 +90,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Process Spawned by a Host - -The detection rule leverages machine learning to identify atypical processes on Windows systems, focusing on those that deviate from normal behavior. Adversaries often exploit legitimate system tools, known as LOLbins, to evade detection. This rule uses the ProblemChild ML model to flag processes that are both statistically unusual and potentially malicious, enhancing detection of stealthy attacks that bypass traditional methods. - -### Possible investigation steps - -- Review the process details flagged by the ProblemChild ML model, including the process name, path, and command line arguments, to understand its nature and potential purpose. -- Check the parent process of the flagged process to determine if it was spawned by a legitimate application or a known LOLbin, which might indicate a Living off the Land attack. -- Investigate the host's historical activity to assess whether this process or similar ones have been executed previously, focusing on any patterns of unusual behavior. -- Correlate the process activity with user logins and network connections to identify any suspicious user behavior or external communications that coincide with the process execution. -- Examine the system's security logs for any related alerts or anomalies around the time the process was detected, which might provide additional context or evidence of malicious activity. - -### False positive analysis - -- Routine administrative tasks may trigger false positives if they involve unusual processes or tools not commonly used on the host. Users can create exceptions for these known tasks to prevent unnecessary alerts. -- Software updates or installations can spawn processes that are atypical but benign. Identifying and excluding these processes during known maintenance windows can reduce false positives. -- Custom scripts or automation tools that mimic LOLbins behavior might be flagged. Users should document and whitelist these scripts if they are verified as safe and necessary for operations. -- Legitimate third-party applications that use system binaries in uncommon ways may be misclassified. Regularly review and update the list of approved applications to ensure they are not mistakenly flagged. -- Temporary spikes in unusual processes due to legitimate business activities, such as end-of-quarter reporting, can be managed by adjusting the detection thresholds or temporarily disabling the rule during these periods. - -### Response and remediation - -- Isolate the affected host from the network to prevent further spread or communication with potential command and control servers. -- Terminate the suspicious process identified by the ProblemChild ML model to halt any ongoing malicious activity. -- Conduct a thorough review of the process's parent and child processes to identify any additional malicious activity or persistence mechanisms. -- Remove any identified LOLbins or unauthorized tools used by the adversary from the system to prevent further exploitation. -- Restore the affected system from a known good backup if any system integrity issues are detected. -- Update endpoint protection and monitoring tools to ensure they can detect similar threats in the future, focusing on the specific techniques used in this incident. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index 7383e362ef0..abb8bb47e03 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -20,6 +18,42 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_parent" name = "Unusual Process Spawned by a Parent Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Spawned by a Parent Process + +In Windows environments, processes are often spawned by parent processes to perform legitimate tasks. However, adversaries can exploit this by using legitimate tools, known as LOLbins, to execute malicious activities stealthily. The detection rule leverages machine learning to identify anomalies in process creation patterns, flagging processes that deviate from typical behavior, thus uncovering potential threats that evade traditional detection methods. + +### Possible investigation steps + +- Review the parent process and child process names to determine if they are known legitimate applications or if they are commonly associated with LOLbins or other malicious activities. +- Check the process creation time and correlate it with any known user activity or scheduled tasks to identify if the process execution aligns with expected behavior. +- Investigate the command line arguments used by the suspicious process to identify any unusual or potentially malicious commands or scripts being executed. +- Analyze the network activity associated with the process to detect any suspicious outbound connections or data exfiltration attempts. +- Examine the file path and hash of the executable to verify its legitimacy and check against known malware databases or threat intelligence sources. +- Review any recent changes to the system, such as software installations or updates, that might explain the unusual process behavior. +- Consult endpoint detection and response (EDR) logs or other security tools to gather additional context and evidence related to the process and its activities. + +### False positive analysis + +- Legitimate administrative tools like PowerShell or command prompt may be flagged when used for routine tasks. Users can create exceptions for these tools when executed by known and trusted parent processes. +- Software updates or installations often spawn processes that might appear unusual. Exclude these processes by identifying their typical parent-child relationships during updates. +- Custom scripts or automation tools used within the organization might trigger alerts. Document these scripts and their expected behavior to create exceptions for them. +- Frequent use of remote management tools can lead to false positives. Ensure these tools are whitelisted when used by authorized personnel. +- Regularly review and update the list of exceptions to accommodate changes in legitimate process behaviors over time. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions. +- Conduct a thorough analysis of the process and its parent to understand the scope of the compromise and identify any additional malicious activities or files. +- Remove any malicious files or artifacts associated with the process from the system to ensure complete remediation. +- Restore the system from a known good backup if the integrity of the system is compromised beyond repair. +- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -58,42 +92,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Process Spawned by a Parent Process - -In Windows environments, processes are often spawned by parent processes to perform legitimate tasks. However, adversaries can exploit this by using legitimate tools, known as LOLbins, to execute malicious activities stealthily. The detection rule leverages machine learning to identify anomalies in process creation patterns, flagging processes that deviate from typical behavior, thus uncovering potential threats that evade traditional detection methods. - -### Possible investigation steps - -- Review the parent process and child process names to determine if they are known legitimate applications or if they are commonly associated with LOLbins or other malicious activities. -- Check the process creation time and correlate it with any known user activity or scheduled tasks to identify if the process execution aligns with expected behavior. -- Investigate the command line arguments used by the suspicious process to identify any unusual or potentially malicious commands or scripts being executed. -- Analyze the network activity associated with the process to detect any suspicious outbound connections or data exfiltration attempts. -- Examine the file path and hash of the executable to verify its legitimacy and check against known malware databases or threat intelligence sources. -- Review any recent changes to the system, such as software installations or updates, that might explain the unusual process behavior. -- Consult endpoint detection and response (EDR) logs or other security tools to gather additional context and evidence related to the process and its activities. - -### False positive analysis - -- Legitimate administrative tools like PowerShell or command prompt may be flagged when used for routine tasks. Users can create exceptions for these tools when executed by known and trusted parent processes. -- Software updates or installations often spawn processes that might appear unusual. Exclude these processes by identifying their typical parent-child relationships during updates. -- Custom scripts or automation tools used within the organization might trigger alerts. Document these scripts and their expected behavior to create exceptions for them. -- Frequent use of remote management tools can lead to false positives. Ensure these tools are whitelisted when used by authorized personnel. -- Regularly review and update the list of exceptions to accommodate changes in legitimate process behaviors over time. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions. -- Conduct a thorough analysis of the process and its parent to understand the scope of the compromise and identify any additional malicious activities or files. -- Remove any malicious files or artifacts associated with the process from the system to ensure complete remediation. -- Restore the system from a known good backup if the integrity of the system is compromised beyond repair. -- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index ef3e3edf818..513d1a8b875 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -21,6 +19,41 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_user" name = "Unusual Process Spawned by a User" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Spawned by a User + +The detection of unusual processes spawned by users leverages machine learning to identify anomalies in user behavior and process execution. Adversaries often exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag processes that deviate from typical user activity, indicating potential misuse or masquerading tactics. + +### Possible investigation steps + +- Review the user context associated with the alert to determine if the user has a history of spawning unusual processes or if this is an isolated incident. +- Examine the specific process flagged by the alert, including its command line arguments, parent process, and any associated network activity, to identify potential indicators of compromise. +- Check for the presence of known LOLbins or other legitimate tools that may have been exploited, as indicated by the alert's focus on defense evasion tactics. +- Investigate any recent changes in the user's behavior or system configuration that could explain the anomaly, such as software updates or new application installations. +- Correlate the alert with other security events or logs from the same timeframe to identify any related suspicious activities or patterns. +- Assess the risk score and severity level in the context of the organization's threat landscape to prioritize the response and determine if further action is needed. + +### False positive analysis + +- Legitimate administrative tools may trigger false positives if they are used in atypical contexts. Users should review the context of the process execution and, if deemed safe, add these tools to an exception list to prevent future alerts. +- Scheduled tasks or scripts that run infrequently might be flagged as unusual. Verify the legitimacy of these tasks and consider excluding them if they are part of regular maintenance or updates. +- Software updates or installations can spawn processes that appear anomalous. Confirm the source and purpose of these updates, and if they are routine, create exceptions for these specific processes. +- Developers or IT personnel using command-line tools for legitimate purposes may trigger alerts. Evaluate the necessity of these tools in their workflow and whitelist them if they are consistently used in a non-malicious manner. +- New or infrequently used applications might be flagged due to lack of historical data. Assess the application's legitimacy and, if appropriate, add it to a list of known safe applications to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate the suspicious process identified by the alert to halt any ongoing malicious activity. +- Conduct a thorough review of the user's recent activity and access logs to identify any unauthorized actions or data access. +- Reset the credentials of the affected user account to prevent further unauthorized access, ensuring that strong, unique passwords are used. +- Scan the system for additional indicators of compromise, such as other unusual processes or modifications to system files, and remove any identified threats. +- Restore the system from a known good backup if any critical system files or configurations have been altered. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -59,41 +92,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Process Spawned by a User - -The detection of unusual processes spawned by users leverages machine learning to identify anomalies in user behavior and process execution. Adversaries often exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag processes that deviate from typical user activity, indicating potential misuse or masquerading tactics. - -### Possible investigation steps - -- Review the user context associated with the alert to determine if the user has a history of spawning unusual processes or if this is an isolated incident. -- Examine the specific process flagged by the alert, including its command line arguments, parent process, and any associated network activity, to identify potential indicators of compromise. -- Check for the presence of known LOLbins or other legitimate tools that may have been exploited, as indicated by the alert's focus on defense evasion tactics. -- Investigate any recent changes in the user's behavior or system configuration that could explain the anomaly, such as software updates or new application installations. -- Correlate the alert with other security events or logs from the same timeframe to identify any related suspicious activities or patterns. -- Assess the risk score and severity level in the context of the organization's threat landscape to prioritize the response and determine if further action is needed. - -### False positive analysis - -- Legitimate administrative tools may trigger false positives if they are used in atypical contexts. Users should review the context of the process execution and, if deemed safe, add these tools to an exception list to prevent future alerts. -- Scheduled tasks or scripts that run infrequently might be flagged as unusual. Verify the legitimacy of these tasks and consider excluding them if they are part of regular maintenance or updates. -- Software updates or installations can spawn processes that appear anomalous. Confirm the source and purpose of these updates, and if they are routine, create exceptions for these specific processes. -- Developers or IT personnel using command-line tools for legitimate purposes may trigger alerts. Evaluate the necessity of these tools in their workflow and whitelist them if they are consistently used in a non-malicious manner. -- New or infrequently used applications might be flagged due to lack of historical data. Assess the application's legitimacy and, if appropriate, add it to a list of known safe applications to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate the suspicious process identified by the alert to halt any ongoing malicious activity. -- Conduct a thorough review of the user's recent activity and access logs to identify any unauthorized actions or data access. -- Reset the credentials of the affected user account to prevent further unauthorized access, ensuring that strong, unique passwords are used. -- Scan the system for additional indicators of compromise, such as other unusual processes or modifications to system files, and remove any identified threats. -- Restore the system from a known good backup if any critical system files or configurations have been altered. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 2b88dcc0cbc..570668585b7 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score + +The detection leverages a machine learning model, ProblemChild, to identify potentially malicious Windows processes by analyzing patterns and assigning a high probability score to suspicious activities. Adversaries may exploit legitimate processes to evade detection, often using techniques like masquerading. This rule flags high-risk events by focusing on processes with a high malicious probability score or those identified by a blocklist, excluding known benign activities. + +### Possible investigation steps + +- Review the process details flagged by the ProblemChild model, focusing on those with a prediction probability greater than 0.98 or identified by the blocklist. +- Examine the command-line arguments of the suspicious process to identify any unusual or unexpected patterns, excluding those matching known benign patterns like "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*" or "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*". +- Check the parent process of the flagged event to determine if it is a legitimate process or if it has been potentially compromised. +- Investigate the user account associated with the process to assess if it has been involved in any other suspicious activities or if it has elevated privileges that could be exploited. +- Correlate the event with other security alerts or logs to identify any related activities or patterns that could indicate a broader attack campaign. +- Consult threat intelligence sources to determine if the process or its associated indicators are linked to known malicious activities or threat actors. + +### False positive analysis + +- Nessus scan files in the Windows temp directory may trigger false positives due to their temporary nature and frequent legitimate use. Users can mitigate this by adding exceptions for file paths like C:\\WINDOWS\\temp\\nessus_*.txt and C:\\WINDOWS\\temp\\nessus_*.tmp. +- Legitimate software updates or installations might be flagged if they mimic known malicious patterns. Users should review the process details and whitelist trusted software update processes. +- System administration tools that perform actions similar to those used in attacks could be misidentified. Users should verify the legitimacy of these tools and exclude them from the rule if they are part of regular administrative tasks. +- Custom scripts or automation tools that are not widely recognized might be flagged. Users should ensure these scripts are secure and add them to an allowlist if they are part of routine operations. +- Frequent false positives from specific processes can be managed by adjusting the threshold of the machine learning model or refining the blocklist to better distinguish between benign and malicious activities. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malicious activity. +- Terminate the suspicious process identified by the ProblemChild model to halt any ongoing malicious actions. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats. +- Review and analyze the process execution history and associated files to understand the scope of the compromise and identify any persistence mechanisms. +- Restore any altered or deleted files from backups, ensuring that the backup is clean and free from malware. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for similar processes and activities to detect and respond to future attempts at masquerading or defense evasion.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -64,41 +97,6 @@ query = ''' process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score - -The detection leverages a machine learning model, ProblemChild, to identify potentially malicious Windows processes by analyzing patterns and assigning a high probability score to suspicious activities. Adversaries may exploit legitimate processes to evade detection, often using techniques like masquerading. This rule flags high-risk events by focusing on processes with a high malicious probability score or those identified by a blocklist, excluding known benign activities. - -### Possible investigation steps - -- Review the process details flagged by the ProblemChild model, focusing on those with a prediction probability greater than 0.98 or identified by the blocklist. -- Examine the command-line arguments of the suspicious process to identify any unusual or unexpected patterns, excluding those matching known benign patterns like "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*" or "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*". -- Check the parent process of the flagged event to determine if it is a legitimate process or if it has been potentially compromised. -- Investigate the user account associated with the process to assess if it has been involved in any other suspicious activities or if it has elevated privileges that could be exploited. -- Correlate the event with other security alerts or logs to identify any related activities or patterns that could indicate a broader attack campaign. -- Consult threat intelligence sources to determine if the process or its associated indicators are linked to known malicious activities or threat actors. - -### False positive analysis - -- Nessus scan files in the Windows temp directory may trigger false positives due to their temporary nature and frequent legitimate use. Users can mitigate this by adding exceptions for file paths like C:\\WINDOWS\\temp\\nessus_*.txt and C:\\WINDOWS\\temp\\nessus_*.tmp. -- Legitimate software updates or installations might be flagged if they mimic known malicious patterns. Users should review the process details and whitelist trusted software update processes. -- System administration tools that perform actions similar to those used in attacks could be misidentified. Users should verify the legitimacy of these tools and exclude them from the rule if they are part of regular administrative tasks. -- Custom scripts or automation tools that are not widely recognized might be flagged. Users should ensure these scripts are secure and add them to an allowlist if they are part of routine operations. -- Frequent false positives from specific processes can be managed by adjusting the threshold of the machine learning model or refining the blocklist to better distinguish between benign and malicious activities. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malicious activity. -- Terminate the suspicious process identified by the ProblemChild model to halt any ongoing malicious actions. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats. -- Review and analyze the process execution history and associated files to understand the scope of the compromise and identify any persistence mechanisms. -- Restore any altered or deleted files from backups, ensuring that the backup is clean and free from malware. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for similar processes and activities to detect and respond to future attempts at masquerading or defense evasion.""" [[rule.threat]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 047992ae1be..22b4da6597d 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,26 +2,59 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high -scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) -were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious -processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be -unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly -involving LOLbins, that may be resistant to detection using conventional search rules. +A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit +unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The +process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of +suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated +to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, +possibly involving LOLbins, that may be resistant to detection using conventional search rules. """ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" -name = "Suspicious Windows Process Cluster Spawned by a Host" +name = "Host Detected with Suspicious Windows Process(es)" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Host Detected with Suspicious Windows Process(es) + +The detection leverages machine learning to identify clusters of Windows processes with high malicious probability scores. Adversaries exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. + +### Possible investigation steps + +- Review the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts. +- Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading. +- Check the timeline of the process execution to see if it coincides with any known scheduled tasks or user activity that could explain the anomaly. +- Investigate the parent-child relationship of the processes to identify any unexpected or unauthorized process spawning patterns. +- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activity. +- Assess the network activity associated with the host during the time of the alert to detect any potential data exfiltration or communication with known malicious IP addresses. + +### False positive analysis + +- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may be flagged as suspicious due to their dual-use nature. Users can create exceptions for these tools when used by trusted administrators or during scheduled maintenance. +- Automated scripts or scheduled tasks that perform routine system checks or updates might trigger alerts. Review these processes and whitelist them if they are verified as part of regular operations. +- Software updates or installations that involve multiple processes spawning in a short time frame can be mistaken for malicious clusters. Ensure that these activities are documented and create exceptions for known update processes. +- Development or testing environments where new or experimental software is frequently executed may generate false positives. Consider excluding these environments from monitoring or adjusting the sensitivity of the rule for these specific hosts. +- Frequent use of remote desktop or remote management tools by IT staff can appear suspicious. Implement user-based exceptions for known IT personnel to reduce unnecessary alerts. + +### Response and remediation + +- Isolate the affected host immediately to prevent further spread of potential malicious activity. Disconnect it from the network to contain the threat. +- Terminate the suspicious processes identified by the alert. Use task management tools or scripts to ensure all instances of the processes are stopped. +- Conduct a thorough review of the host's system logs and process history to identify any additional indicators of compromise or related malicious activity. +- Restore the host from a known good backup if available, ensuring that the backup is free from any signs of compromise. +- Update and patch the host's operating system and all installed software to close any vulnerabilities that may have been exploited. +- Implement application whitelisting to prevent unauthorized or suspicious processes from executing in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional hosts are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -58,41 +91,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Windows Process Cluster Spawned by a Host - -The detection leverages machine learning to identify clusters of Windows processes with high malicious probability scores. Adversaries exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. - -### Possible investigation steps - -- Review the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts. -- Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading. -- Check the timeline of the process execution to see if it coincides with any known scheduled tasks or user activity that could explain the anomaly. -- Investigate the parent-child relationship of the processes to identify any unexpected or unauthorized process spawning patterns. -- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activity. -- Assess the network activity associated with the host during the time of the alert to detect any potential data exfiltration or communication with known malicious IP addresses. - -### False positive analysis - -- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may be flagged as suspicious due to their dual-use nature. Users can create exceptions for these tools when used by trusted administrators or during scheduled maintenance. -- Automated scripts or scheduled tasks that perform routine system checks or updates might trigger alerts. Review these processes and whitelist them if they are verified as part of regular operations. -- Software updates or installations that involve multiple processes spawning in a short time frame can be mistaken for malicious clusters. Ensure that these activities are documented and create exceptions for known update processes. -- Development or testing environments where new or experimental software is frequently executed may generate false positives. Consider excluding these environments from monitoring or adjusting the sensitivity of the rule for these specific hosts. -- Frequent use of remote desktop or remote management tools by IT staff can appear suspicious. Implement user-based exceptions for known IT personnel to reduce unnecessary alerts. - -### Response and remediation - -- Isolate the affected host immediately to prevent further spread of potential malicious activity. Disconnect it from the network to contain the threat. -- Terminate the suspicious processes identified by the alert. Use task management tools or scripts to ensure all instances of the processes are stopped. -- Conduct a thorough review of the host's system logs and process history to identify any additional indicators of compromise or related malicious activity. -- Restore the host from a known good backup if available, ensuring that the backup is free from any signs of compromise. -- Update and patch the host's operating system and all installed software to close any vulnerabilities that may have been exploited. -- Implement application whitelisting to prevent unauthorized or suspicious processes from executing in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional hosts are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 91dda3e569e..7b94ae3ca14 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,26 +2,59 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high -scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) -were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious -processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to -be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly -involving LOLbins, that may be resistant to detection using conventional search rules. +A machine learning job combination has identified a parent process with one or more suspicious Windows processes that +exhibit unusually high malicious probability scores. These process(es) have been classified as malicious in several +ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a +cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event +cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or +malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. """ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" -name = "Suspicious Windows Process Cluster Spawned by a Parent Process" +name = "Parent Process Detected with Suspicious Windows Process(es)" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Parent Process Detected with Suspicious Windows Process(es) + +In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading. + +### Possible investigation steps + +- Review the parent process name associated with the suspicious process cluster to identify if it is a known legitimate process or a potential masquerading attempt. +- Examine the command line arguments and execution context of the suspicious processes to identify any use of LOLBins or unusual patterns that could indicate malicious activity. +- Check the process creation timestamps and correlate them with any known events or user activities to determine if the process execution aligns with expected behavior. +- Investigate the network activity of the suspicious processes to identify any unusual outbound connections or data exfiltration attempts. +- Analyze the user account context under which the suspicious processes were executed to determine if there is any indication of compromised credentials or privilege escalation. +- Cross-reference the detected processes with threat intelligence sources to identify any known indicators of compromise or related threat actor activity. + +### False positive analysis + +- Legitimate administrative tools may trigger false positives if they frequently spawn processes that resemble malicious activity. Users can create exceptions for known safe tools by whitelisting their parent process names. +- Software updates or installations often generate clusters of processes that might be flagged as suspicious. Users should monitor these activities and exclude them if they are verified as legitimate. +- Automated scripts or batch jobs that run regularly and spawn multiple processes can be mistaken for malicious clusters. Identifying these scripts and excluding their parent processes can reduce false positives. +- Security software or monitoring tools that perform regular scans or updates might mimic malicious behavior. Users should ensure these tools are recognized and excluded from the rule's scope. +- Custom business applications that are not widely recognized might be flagged. Users should document and exclude these applications if they are confirmed to be safe and necessary for operations. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. +- Terminate the suspicious processes identified by the alert to stop any malicious actions they may be performing. +- Conduct a thorough review of the parent process and its associated binaries to ensure they have not been tampered with or replaced by malicious versions. +- Restore any affected files or system components from a known good backup to ensure system integrity and functionality. +- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary, focusing on those related to LOLBins and masquerading techniques. +- Monitor the system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -60,41 +93,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Windows Process Cluster Spawned by a Parent Process - -In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading. - -### Possible investigation steps - -- Review the parent process name associated with the suspicious process cluster to identify if it is a known legitimate process or a potential masquerading attempt. -- Examine the command line arguments and execution context of the suspicious processes to identify any use of LOLBins or unusual patterns that could indicate malicious activity. -- Check the process creation timestamps and correlate them with any known events or user activities to determine if the process execution aligns with expected behavior. -- Investigate the network activity of the suspicious processes to identify any unusual outbound connections or data exfiltration attempts. -- Analyze the user account context under which the suspicious processes were executed to determine if there is any indication of compromised credentials or privilege escalation. -- Cross-reference the detected processes with threat intelligence sources to identify any known indicators of compromise or related threat actor activity. - -### False positive analysis - -- Legitimate administrative tools may trigger false positives if they frequently spawn processes that resemble malicious activity. Users can create exceptions for known safe tools by whitelisting their parent process names. -- Software updates or installations often generate clusters of processes that might be flagged as suspicious. Users should monitor these activities and exclude them if they are verified as legitimate. -- Automated scripts or batch jobs that run regularly and spawn multiple processes can be mistaken for malicious clusters. Identifying these scripts and excluding their parent processes can reduce false positives. -- Security software or monitoring tools that perform regular scans or updates might mimic malicious behavior. Users should ensure these tools are recognized and excluded from the rule's scope. -- Custom business applications that are not widely recognized might be flagged. Users should document and exclude these applications if they are confirmed to be safe and necessary for operations. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. -- Terminate the suspicious processes identified by the alert to stop any malicious actions they may be performing. -- Conduct a thorough review of the parent process and its associated binaries to ensure they have not been tampered with or replaced by malicious versions. -- Restore any affected files or system components from a known good backup to ensure system integrity and functionality. -- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary, focusing on those related to LOLBins and masquerading techniques. -- Monitor the system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index bb2d33f43f8..a5b82dcbbf8 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,26 +2,59 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high -scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) -were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious -processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be -unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly -involving LOLbins, that may be resistant to detection using conventional search rules. +A machine learning job combination has identified a user with one or more suspicious Windows processes that exhibit +unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The +process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of +suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated +to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, +possibly involving LOLbins, that may be resistant to detection using conventional search rules. """ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" -name = "Suspicious Windows Process Cluster Spawned by a User" +name = "User Detected with Suspicious Windows Process(es)" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating User Detected with Suspicious Windows Process(es) + +The detection leverages machine learning to identify clusters of Windows processes with high malicious probability, often linked to tactics like masquerading. Adversaries exploit legitimate tools (LOLBins) to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters, focusing on user-associated anomalies to uncover potential threats. + +### Possible investigation steps + +- Review the list of processes flagged by the alert to identify any known legitimate applications or tools that might have been misclassified. +- Investigate the user account associated with the suspicious process cluster to determine if there is any history of unusual activity or if the account has been compromised. +- Examine the parent-child relationship of the processes to understand the execution chain and identify any potential masquerading attempts or use of LOLBins. +- Check for any recent changes or updates to the system that might explain the unusual process behavior, such as software installations or updates. +- Correlate the detected processes with any known indicators of compromise (IOCs) or threat intelligence feeds to assess if they are linked to known malicious activity. +- Analyze the network activity associated with the processes to identify any suspicious outbound connections or data exfiltration attempts. + +### False positive analysis + +- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may trigger false positives due to their frequent use in system management. Users can create exceptions for these tools when used by trusted administrators. +- Software updates or installations often involve processes that mimic suspicious behavior. Exclude these processes by identifying and whitelisting update-related activities from known software vendors. +- Automated scripts or scheduled tasks that perform routine maintenance can be misclassified as malicious. Review and whitelist these tasks if they are part of regular system operations. +- Development environments may spawn multiple processes that resemble malicious clusters. Developers should document and exclude these processes when they are part of legitimate development activities. +- Security software or monitoring tools might generate process clusters that appear suspicious. Ensure these tools are recognized and excluded from analysis to prevent false alerts. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malicious activity. +- Terminate the suspicious processes identified by the alert to halt any ongoing malicious actions. +- Conduct a thorough review of the affected user's account for any unauthorized access or changes, and reset credentials if necessary. +- Analyze the use of any identified LOLBins to determine if they were used maliciously and restrict their execution through application whitelisting or policy adjustments. +- Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope of the incident. +- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to determine if additional systems are compromised. +- Implement enhanced monitoring and detection rules to identify similar patterns of behavior in the future, focusing on the specific tactics and techniques used in this incident.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -60,41 +93,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Windows Process Cluster Spawned by a User - -The detection leverages machine learning to identify clusters of Windows processes with high malicious probability, often linked to tactics like masquerading. Adversaries exploit legitimate tools (LOLBins) to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters, focusing on user-associated anomalies to uncover potential threats. - -### Possible investigation steps - -- Review the list of processes flagged by the alert to identify any known legitimate applications or tools that might have been misclassified. -- Investigate the user account associated with the suspicious process cluster to determine if there is any history of unusual activity or if the account has been compromised. -- Examine the parent-child relationship of the processes to understand the execution chain and identify any potential masquerading attempts or use of LOLBins. -- Check for any recent changes or updates to the system that might explain the unusual process behavior, such as software installations or updates. -- Correlate the detected processes with any known indicators of compromise (IOCs) or threat intelligence feeds to assess if they are linked to known malicious activity. -- Analyze the network activity associated with the processes to identify any suspicious outbound connections or data exfiltration attempts. - -### False positive analysis - -- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may trigger false positives due to their frequent use in system management. Users can create exceptions for these tools when used by trusted administrators. -- Software updates or installations often involve processes that mimic suspicious behavior. Exclude these processes by identifying and whitelisting update-related activities from known software vendors. -- Automated scripts or scheduled tasks that perform routine maintenance can be misclassified as malicious. Review and whitelist these tasks if they are part of regular system operations. -- Development environments may spawn multiple processes that resemble malicious clusters. Developers should document and exclude these processes when they are part of legitimate development activities. -- Security software or monitoring tools might generate process clusters that appear suspicious. Ensure these tools are recognized and excluded from analysis to prevent false alerts. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malicious activity. -- Terminate the suspicious processes identified by the alert to halt any ongoing malicious actions. -- Conduct a thorough review of the affected user's account for any unauthorized access or changes, and reset credentials if necessary. -- Analyze the use of any identified LOLBins to determine if they were used maliciously and restrict their execution through application whitelisting or policy adjustments. -- Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope of the incident. -- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to determine if additional systems are compromised. -- Implement enhanced monitoring and detection rules to identify similar patterns of behavior in the future, focusing on the specific tactics and techniques used in this incident.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml index 4f92c9ea1a6..31c51e7b607 100644 --- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml @@ -2,23 +2,57 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/02/20" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule detects a high number of egress network connections from an unusual executable on a Linux system. -This could indicate a command and control (C2) communication attempt, a brute force attack via a malware -infection, or other malicious activity. ES|QL rules have limited fields available in its alert documents. -Make sure to review the original documents to aid in the investigation of this alert. +This rule detects a high number of egress network connections from an unusual executable on a Linux system. This could +indicate a command and control (C2) communication attempt, a brute force attack via a malware infection, or other +malicious activity. ES|QL rules have limited fields available in its alert documents. Make sure to review the original +documents to aid in the investigation of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "High Number of Egress Network Connections from Unusual Executable" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating High Number of Egress Network Connections from Unusual Executable + +In Linux environments, executables can initiate network connections for legitimate purposes. However, adversaries exploit this by deploying malware in temporary directories to establish command and control (C2) channels. The detection rule identifies unusual executables making numerous outbound connections, excluding trusted IP ranges and known benign paths, to flag potential threats. + +### Possible investigation steps + +- Review the process.executable field to identify the specific executable making the connections and determine if it is known or expected in the environment. +- Examine the destination.ip field to identify the external IP addresses the executable is attempting to connect to and check if they are known malicious or suspicious. +- Check the host.os.type and agent.id fields to identify the specific host and agent involved, and gather additional context about the system's role and recent activity. +- Analyze the @timestamp field to correlate the timing of the connections with other events or activities on the network or host. +- Cross-reference the identified executable and IP addresses with threat intelligence sources to determine if they are associated with known threats or campaigns. +- If the executable is determined to be malicious or suspicious, isolate the affected host and perform a deeper forensic analysis to identify any additional indicators of compromise or lateral movement. + +### False positive analysis + +- Executables in temporary directories used by legitimate applications or scripts can trigger alerts. Review the process name and executable path to determine if they are associated with known applications or scripts. +- Automated scripts or cron jobs that perform network operations might be flagged. Identify these scripts and consider excluding their paths from the rule if they are verified as non-malicious. +- Development or testing environments often use temporary directories for network operations. If these environments are known and trusted, add their specific paths to the exclusion list. +- Backup or synchronization tools that use temporary directories for data transfer can generate numerous connections. Verify these tools and exclude their paths if they are confirmed to be safe. +- Security tools or monitoring agents that operate in temporary directories might be mistakenly flagged. Confirm their legitimacy and exclude their paths to prevent false positives. + +### Response and remediation + +- Isolate the affected host immediately from the network to prevent further potential malicious communication and lateral movement. +- Terminate the suspicious process identified by the alert to stop any ongoing malicious activity. +- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise (IOCs) and assess the extent of the infection. +- Remove any malicious executables or files found in temporary directories such as /tmp, /var/tmp, or /dev/shm to eliminate the threat. +- Patch and update the affected system to the latest security standards to close any vulnerabilities that may have been exploited. +- Monitor network traffic for any unusual outbound connections from other systems to detect potential spread or similar threats. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation. +""" risk_score = 47 rule_id = "1fa350e0-0aa2-4055-bf8f-ab8b59233e59" setup = """## Setup @@ -53,12 +87,14 @@ tags = [ "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.network-* -| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, destination.ip, agent.id +| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, destination.ip, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and ( ( @@ -79,21 +115,23 @@ from logs-endpoint.events.network-* process.executable like "/tmp/.mount*" or process.executable like "/tmp/go-build*" ) -| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable +| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.executable | where agent_count == 1 and cc > 15 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 329a6d1d1d2..34d8b13e7ff 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,35 +16,6 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "IPv4/IPv6 Forwarding Activity" -risk_score = 21 -rule_id = "5a138e2e-aec3-4240-9843-56825d0bc569" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and -process.parent.executable != null and process.command_line like ( - "*net.ipv4.ip_forward*", "*/proc/sys/net/ipv4/ip_forward*", "*net.ipv6.conf.all.forwarding*", - "*/proc/sys/net/ipv6/conf/all/forwarding*" -) and ( - (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or - ( - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and - process.command_line like "*echo *" - ) -) and -not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,16 +51,48 @@ IPv4/IPv6 forwarding allows a Linux system to route traffic between network inte - Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. - Implement network segmentation to limit the ability of attackers to pivot between networks in the future. - Enhance monitoring and alerting for similar suspicious activities by tuning detection systems to recognize patterns associated with IP forwarding misuse.""" +risk_score = 21 +rule_id = "5a138e2e-aec3-4240-9843-56825d0bc569" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and +process.parent.executable != null and process.command_line like ( + "*net.ipv4.ip_forward*", "*/proc/sys/net/ipv4/ip_forward*", "*net.ipv6.conf.all.forwarding*", + "*/proc/sys/net/ipv6/conf/all/forwarding*" +) and ( + (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or + ( + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and + process.command_line like "*echo *" + ) +) and +not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") +''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 46cd848e64f..f71f59a1770 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,14 @@ resources. Attackers can exploit the ProxyChains utility to hide their true sour perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "ProxyChains Activity" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index 4cc5b788c70..b4d383c26e2 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,12 @@ can abuse X11 forwarding for tunneling their GUI-based tools, pivot through comp communication channels, enabling lateral movement and facilitating remote control of systems within a network. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Linux SSH X11 Forwarding" @@ -121,21 +124,24 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index baf53ccab50..b200f9576d9 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -42,7 +40,14 @@ detection, and perform malicious activities through a chain of proxy servers, po intentions. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Utility Launched via ProxyChains" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index 68be50722be..2a193201c40 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,12 @@ and gain unauthorized access to internal resources, facilitating data exfiltrati control. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Linux Tunneling and/or Port Forwarding" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index b5f92960e13..67530824eca 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,13 @@ system within a separate protocol to avoid detection and network filtering, or t systems. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" diff --git a/rules/linux/credential_access_aws_creds_search_inside_container.toml b/rules/linux/credential_access_aws_creds_search_inside_container.toml new file mode 100644 index 00000000000..a7cb2b14a59 --- /dev/null +++ b/rules/linux/credential_access_aws_creds_search_inside_container.toml @@ -0,0 +1,118 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a +container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or +facilitate a container breakout to the underlying cloud environment. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "AWS Credentials Searched For Inside A Container" +references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] +risk_score = 47 +rule_id = "5749282b-7524-4c9d-af9a-e2b3e814e5d4" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and +process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and +process.command_line like~ ( + "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", + "*access_key*", "*.aws/credentials*" +) +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating AWS Credentials Searched For Inside A Container + +Containers often house applications that interact with AWS services, necessitating the storage of AWS credentials. Adversaries may exploit this by using search utilities to locate these credentials, potentially leading to unauthorized access. The detection rule identifies suspicious use of search tools within containers, flagging attempts to locate AWS credentials by monitoring specific process names and arguments, thus helping to prevent credential theft and subsequent attacks. + +### Possible investigation steps + +- Review the process details to identify the specific search utility used (e.g., grep, find) and the arguments passed, focusing on those related to AWS credentials such as aws_access_key_id or aws_secret_access_key. +- Check the user context under which the suspicious process was executed to assess whether it aligns with expected behavior for that user or role within the container. +- Investigate the source of the container image to ensure it is from a trusted repository and has not been tampered with, which could indicate a supply chain compromise. +- Analyze recent activity logs for the container to identify any other suspicious behavior or anomalies that might correlate with the search for AWS credentials, such as unexpected network connections or file modifications. +- Review access logs for AWS services to detect any unauthorized or unusual access patterns that might suggest the use of compromised credentials. + +### False positive analysis + +- Routine maintenance scripts or automated processes may use search utilities to verify the presence of AWS credentials for legitimate configuration checks. To handle this, identify and whitelist these specific scripts or processes by their unique identifiers or execution paths. +- Developers or system administrators might manually search for AWS credentials during debugging or configuration tasks. Implement a policy to log and review these activities, and consider excluding known user accounts or roles from triggering alerts during specific time windows or in designated environments. +- Security audits or compliance checks often involve searching for sensitive information, including AWS credentials, to ensure proper security measures are in place. Coordinate with audit teams to schedule these activities and temporarily suppress alerts during these periods, or exclude specific audit tools from detection. +- Continuous integration and deployment (CI/CD) pipelines might include steps that search for AWS credentials to validate environment configurations. Identify these pipelines and exclude their associated processes or container environments from triggering alerts, ensuring that only authorized CI/CD tools are used. + +### Response and remediation + +- Immediately isolate the affected container to prevent further unauthorized access or data exfiltration. This can be done by stopping the container or disconnecting it from the network. +- Revoke any AWS credentials that were potentially exposed or accessed. This includes rotating keys and updating any services or applications that rely on these credentials. +- Conduct a thorough review of the container's file system to identify any unauthorized changes or additional malicious files that may have been introduced. +- Implement stricter access controls and monitoring on AWS credentials within containers, ensuring they are stored securely and accessed only by authorized processes. +- Escalate the incident to the cloud security team to assess the potential impact on the broader cloud environment and determine if further investigation or response is needed. +- Enhance logging and monitoring for similar activities across other containers and cloud environments to detect and respond to future attempts promptly. +- Review and update container security policies to include best practices for credential management and access control, reducing the risk of similar incidents.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml new file mode 100644 index 00000000000..8903e78c926 --- /dev/null +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -0,0 +1,135 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials +and system configurations inside a container. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "Sensitive Files Compression Inside A Container" +risk_score = 47 +rule_id = "d9faf1ba-a216-4c29-b8e0-a05a9d14b027" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and process.name in ("zip", "tar", "gzip", "hdiutil", "7z") and +process.command_line like~ ( + "*/root/.ssh/*", "*/home/*/.ssh/*", "*/root/.bash_history*", "*/etc/hosts*", "*/root/.aws/*", "*/home/*/.aws/*", + "*/root/.docker/*", "*/home/*/.docker/*", "*/etc/group*", "*/etc/passwd*", "*/etc/shadow*", "*/etc/gshadow*" +) +''' +note = """### Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Sensitive Files Compression Inside A Container + +Containers are lightweight, portable environments used to run applications consistently across different systems. Adversaries may exploit compression utilities within containers to gather and exfiltrate sensitive files, such as credentials and configuration files. The detection rule identifies suspicious compression activities by monitoring for specific utilities and file paths, flagging potential unauthorized data collection attempts. + +### Possible investigation steps + +- Review the process details to confirm the use of compression utilities such as zip, tar, gzip, hdiutil, or 7z within the container environment, focusing on the process.name and process.args fields. +- Examine the specific file paths listed in the process.args to determine if they include sensitive files like SSH keys, AWS credentials, or Docker configurations, which could indicate unauthorized data collection. +- Check the event.type field for "start" to verify the timing of the process initiation and correlate it with any known legitimate activities or scheduled tasks within the container. +- Investigate the user or service account under which the process was executed to assess whether it has the necessary permissions and if the activity aligns with expected behavior for that account. +- Look for any related alerts or logs that might indicate a broader pattern of suspicious activity within the same container or across other containers in the environment. + +### False positive analysis + +- Routine backup operations may trigger the rule if they involve compressing sensitive files for storage. To handle this, identify and exclude backup processes or scripts that are known and trusted. +- Automated configuration management tools might compress configuration files as part of their normal operation. Exclude these tools by specifying their process names or paths in the exception list. +- Developers or system administrators might compress sensitive files during legitimate troubleshooting or maintenance activities. Establish a process to log and review these activities, and exclude them if they are verified as non-threatening. +- Continuous integration and deployment pipelines could involve compressing configuration files for deployment purposes. Identify these pipelines and exclude their associated processes to prevent false positives. +- Security tools that perform regular audits or scans might compress files for analysis. Ensure these tools are recognized and excluded from triggering the rule. + +### Response and remediation + +- Immediately isolate the affected container to prevent further data exfiltration or unauthorized access. This can be done by stopping the container or disconnecting it from the network. +- Conduct a thorough review of the compressed files and their contents to assess the extent of sensitive data exposure. Focus on the specific file paths identified in the alert. +- Change credentials and keys that may have been compromised, including SSH keys, AWS credentials, and Docker configurations. Ensure that new credentials are distributed securely. +- Review and update access controls and permissions for sensitive files within containers to minimize exposure. Ensure that only necessary processes and users have access to these files. +- Implement monitoring and alerting for similar compression activities in other containers to detect potential threats early. Use the identified process names and arguments as indicators. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected. +- Conduct a post-incident review to identify gaps in security controls and update container security policies to prevent recurrence.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 1ffa0927ca8..fdbfae8b553 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,10 +14,49 @@ password-cracking utilities or prepare themselves for future operations by gathe victim. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Linux Credential Dumping via Unshadow + +Unshadow is a utility within the John the Ripper suite, used to merge `/etc/shadow` and `/etc/passwd` files, making them vulnerable to password cracking. Adversaries exploit this to extract and crack user credentials, gaining unauthorized access. The detection rule identifies suspicious execution of Unshadow by monitoring process activities, focusing on specific execution patterns and argument counts, thus flagging potential credential dumping attempts. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the unshadow utility by checking the process name and arguments, ensuring that the process.args_count is 3 or more. +- Investigate the user account under which the unshadow process was executed to determine if it aligns with expected administrative activities or if it indicates potential unauthorized access. +- Examine the command line arguments used with the unshadow process to identify the specific files targeted, such as /etc/shadow and /etc/passwd, and verify if these files were accessed or modified. +- Check for any subsequent processes or activities that might indicate password cracking attempts, such as the execution of John the Ripper or similar tools, following the unshadow execution. +- Correlate the event with other security alerts or logs from the same host or user to identify any patterns or additional suspicious activities that might suggest a broader attack campaign. +- Assess the risk and impact by determining if any sensitive credentials were potentially exposed and consider implementing additional monitoring or access controls to prevent future incidents. + +### False positive analysis + +- System administrators or security teams may use the unshadow utility for legitimate auditing or recovery purposes. To handle this, create exceptions for known administrative accounts or specific maintenance windows. +- Automated scripts or backup processes might invoke unshadow as part of routine operations. Identify these scripts and exclude their execution paths or associated user accounts from triggering alerts. +- Security testing or penetration testing activities could involve the use of unshadow. Coordinate with the testing team to whitelist their activities during the testing period to avoid false positives. +- Development or testing environments might have unshadow executed as part of security tool evaluations. Exclude these environments from monitoring or adjust the rule to focus on production systems only. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes related to the unshadow utility to halt ongoing credential dumping activities. +- Conduct a thorough review of the affected system's `/etc/shadow` and `/etc/passwd` files to identify any unauthorized modifications or access. +- Change passwords for all user accounts on the affected system, prioritizing those with elevated privileges, to mitigate the risk of compromised credentials. +- Review and update access controls and permissions for sensitive files, ensuring that only authorized users have access to `/etc/shadow` and `/etc/passwd`. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for similar activities across the network to detect and respond to future credential dumping attempts promptly.""" references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" @@ -67,40 +104,6 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name == "unshadow" and process.args_count >= 3 ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Linux Credential Dumping via Unshadow - -Unshadow is a utility within the John the Ripper suite, used to merge `/etc/shadow` and `/etc/passwd` files, making them vulnerable to password cracking. Adversaries exploit this to extract and crack user credentials, gaining unauthorized access. The detection rule identifies suspicious execution of Unshadow by monitoring process activities, focusing on specific execution patterns and argument counts, thus flagging potential credential dumping attempts. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the unshadow utility by checking the process name and arguments, ensuring that the process.args_count is 3 or more. -- Investigate the user account under which the unshadow process was executed to determine if it aligns with expected administrative activities or if it indicates potential unauthorized access. -- Examine the command line arguments used with the unshadow process to identify the specific files targeted, such as /etc/shadow and /etc/passwd, and verify if these files were accessed or modified. -- Check for any subsequent processes or activities that might indicate password cracking attempts, such as the execution of John the Ripper or similar tools, following the unshadow execution. -- Correlate the event with other security alerts or logs from the same host or user to identify any patterns or additional suspicious activities that might suggest a broader attack campaign. -- Assess the risk and impact by determining if any sensitive credentials were potentially exposed and consider implementing additional monitoring or access controls to prevent future incidents. - -### False positive analysis - -- System administrators or security teams may use the unshadow utility for legitimate auditing or recovery purposes. To handle this, create exceptions for known administrative accounts or specific maintenance windows. -- Automated scripts or backup processes might invoke unshadow as part of routine operations. Identify these scripts and exclude their execution paths or associated user accounts from triggering alerts. -- Security testing or penetration testing activities could involve the use of unshadow. Coordinate with the testing team to whitelist their activities during the testing period to avoid false positives. -- Development or testing environments might have unshadow executed as part of security tool evaluations. Exclude these environments from monitoring or adjust the rule to focus on production systems only. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes related to the unshadow utility to halt ongoing credential dumping activities. -- Conduct a thorough review of the affected system's `/etc/shadow` and `/etc/passwd` files to identify any unauthorized modifications or access. -- Change passwords for all user accounts on the affected system, prioritizing those with elevated privileges, to mitigate the risk of compromised credentials. -- Review and update access controls and permissions for sensitive files, ensuring that only authorized users have access to `/etc/shadow` and `/etc/passwd`. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for similar activities across the network to detect and respond to future credential dumping attempts promptly.""" [[rule.threat]] diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 267ef6a5683..8108fc8429d 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,49 @@ dumping techniques to attempt secret extraction from privileged processes. Tools "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Linux init (PID 1) Secret Dump via GDB + +In Linux, the init process (PID 1) is the first process started by the kernel and is responsible for initializing the system. Adversaries may exploit debugging tools like GDB to dump memory from this process, potentially extracting sensitive information. The detection rule identifies suspicious GDB executions targeting PID 1, flagging unauthorized memory access attempts for further investigation. + +### Possible investigation steps + +- Review the alert details to confirm the process name is "gdb" and the process arguments include "--pid" or "-p" with a target of PID "1". +- Check the user account associated with the gdb process execution to determine if it is authorized to perform debugging tasks on the system. +- Investigate the parent process of the gdb execution to understand how it was initiated and whether it was part of a legitimate workflow or script. +- Examine system logs around the time of the alert to identify any other suspicious activities or related events that might indicate a broader attack. +- Assess the system for any unauthorized changes or anomalies, such as new user accounts, modified configurations, or unexpected network connections. +- If possible, capture and analyze memory dumps or other forensic artifacts to identify any sensitive information that may have been accessed or exfiltrated. + +### False positive analysis + +- System administrators or developers may use GDB for legitimate debugging purposes on the init process. To handle this, create exceptions for known maintenance windows or specific user accounts that are authorized to perform such actions. +- Automated scripts or monitoring tools might inadvertently trigger this rule if they include GDB commands targeting PID 1 for health checks. Review and adjust these scripts to avoid unnecessary memory access or exclude them from the rule if they are verified as safe. +- Security tools or forensic analysis software might use GDB as part of their operations. Identify these tools and whitelist their processes to prevent false positives while ensuring they are from trusted sources. +- Training or testing environments may simulate attacks or debugging scenarios involving GDB and PID 1. Exclude these environments from the rule to avoid noise, ensuring they are isolated from production systems. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate the suspicious gdb process targeting PID 1 to stop any ongoing memory dumping activity. +- Conduct a thorough review of system logs and process execution history to identify any additional unauthorized access attempts or related suspicious activities. +- Change all credentials and secrets that may have been exposed or accessed during the memory dump, focusing on those used by the init process and other privileged accounts. +- Implement stricter access controls and monitoring for debugging tools like gdb, ensuring only authorized personnel can execute such tools on critical systems. +- Escalate the incident to the security operations team for a comprehensive investigation and to determine if further forensic analysis is required. +- Update and enhance detection rules and monitoring systems to better identify and alert on similar unauthorized memory access attempts in the future.""" references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] risk_score = 47 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" @@ -65,40 +102,6 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Linux init (PID 1) Secret Dump via GDB - -In Linux, the init process (PID 1) is the first process started by the kernel and is responsible for initializing the system. Adversaries may exploit debugging tools like GDB to dump memory from this process, potentially extracting sensitive information. The detection rule identifies suspicious GDB executions targeting PID 1, flagging unauthorized memory access attempts for further investigation. - -### Possible investigation steps - -- Review the alert details to confirm the process name is "gdb" and the process arguments include "--pid" or "-p" with a target of PID "1". -- Check the user account associated with the gdb process execution to determine if it is authorized to perform debugging tasks on the system. -- Investigate the parent process of the gdb execution to understand how it was initiated and whether it was part of a legitimate workflow or script. -- Examine system logs around the time of the alert to identify any other suspicious activities or related events that might indicate a broader attack. -- Assess the system for any unauthorized changes or anomalies, such as new user accounts, modified configurations, or unexpected network connections. -- If possible, capture and analyze memory dumps or other forensic artifacts to identify any sensitive information that may have been accessed or exfiltrated. - -### False positive analysis - -- System administrators or developers may use GDB for legitimate debugging purposes on the init process. To handle this, create exceptions for known maintenance windows or specific user accounts that are authorized to perform such actions. -- Automated scripts or monitoring tools might inadvertently trigger this rule if they include GDB commands targeting PID 1 for health checks. Review and adjust these scripts to avoid unnecessary memory access or exclude them from the rule if they are verified as safe. -- Security tools or forensic analysis software might use GDB as part of their operations. Identify these tools and whitelist their processes to prevent false positives while ensuring they are from trusted sources. -- Training or testing environments may simulate attacks or debugging scenarios involving GDB and PID 1. Exclude these environments from the rule to avoid noise, ensuring they are isolated from production systems. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate the suspicious gdb process targeting PID 1 to stop any ongoing memory dumping activity. -- Conduct a thorough review of system logs and process execution history to identify any additional unauthorized access attempts or related suspicious activities. -- Change all credentials and secrets that may have been exposed or accessed during the memory dump, focusing on those used by the init process and other privileged accounts. -- Implement stricter access controls and monitoring for debugging tools like gdb, ensuring only authorized personnel can execute such tools on critical systems. -- Escalate the incident to the security operations team for a comprehensive investigation and to determine if further forensic analysis is required. -- Update and enhance detection rules and monitoring systems to better identify and alert on similar unauthorized memory access attempts in the future.""" [[rule.threat]] diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index d668a5a7a2d..af461be6f71 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,35 +12,17 @@ secret extraction from privileged processes. Tools that display this behavior in "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Linux Process Hooking via GDB" -references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] -risk_score = 21 -rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") - and process.name == "gdb" and process.args in ("--pid", "-p") and -/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */ -process.args != "1" -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +58,31 @@ GDB, the GNU Debugger, is a powerful tool used for debugging applications by ins - Change credentials for any accounts that may have been exposed or accessed during the incident to prevent unauthorized use. - Implement stricter access controls and monitoring for systems that handle sensitive information to prevent similar incidents. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] +risk_score = 21 +rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") + and process.name == "gdb" and process.args in ("--pid", "-p") and +/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */ +process.args != "1" +''' [[rule.threat]] diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index bdae2eaf8e1..f3874305266 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,42 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Linux Credential Dumping via Proc Filesystem + +The /proc filesystem in Linux provides a window into the system's processes, offering details like memory usage and command-line arguments. Adversaries exploit this by using tools like mimipenguin to extract plaintext credentials from memory, leveraging vulnerabilities such as CVE-2018-20781. The detection rule identifies suspicious sequences involving the 'ps' and 'strings' commands, which are indicative of attempts to access and parse sensitive data from the /proc filesystem. + +### Possible investigation steps + +- Review the alert details to identify the specific host.id where the suspicious activity was detected, focusing on the processes involved. +- Examine the process execution history on the affected host to confirm the presence of the 'ps' and 'strings' commands executed in sequence, as indicated by the query. +- Investigate the command-line arguments used with the 'ps' and 'strings' commands to determine if they match the suspicious patterns specified in the query, such as '-eo pid command' and '/tmp/*'. +- Check for any recent modifications or suspicious files in the /tmp directory on the affected host, as this is a common location for temporary files used in attacks. +- Analyze the system logs and any available network traffic data to identify potential lateral movement or data exfiltration attempts following the credential dumping activity. +- Assess the system for any signs of compromise or additional malicious activity, such as unauthorized user accounts or unexpected network connections. +- Consider isolating the affected host from the network to prevent further credential exposure and initiate a comprehensive forensic analysis to understand the full scope of the incident. + +### False positive analysis + +- System administrators or monitoring tools may use the 'ps' and 'strings' commands for legitimate system diagnostics and performance monitoring. To mitigate this, create exceptions for known administrative scripts or tools that regularly execute these commands. +- Automated scripts for system health checks might trigger the rule if they use 'ps' and 'strings' to gather process information. Identify and whitelist these scripts by their specific command patterns or execution paths. +- Security tools that perform regular scans or audits might mimic the behavior detected by the rule. Review and exclude these tools by their process names or execution context to prevent false alerts. +- Developers or testers running debugging sessions may inadvertently trigger the rule when analyzing process memory. Establish a process to temporarily disable the rule or exclude specific user accounts during known testing periods. +- Custom monitoring solutions that log process details for analysis could match the rule's criteria. Document and exclude these solutions by their unique execution characteristics or host identifiers. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further credential exposure and potential lateral movement by the adversary. +- Terminate any suspicious processes identified by the detection rule, specifically those involving the 'ps' and 'strings' commands with the specified arguments. +- Conduct a thorough review of the affected system's process memory and logs to identify any additional unauthorized access or data exfiltration attempts. +- Change passwords for all user accounts on the affected system, prioritizing those with elevated privileges, to mitigate the risk of credential misuse. +- Apply patches and updates to address CVE-2018-20781 and any other known vulnerabilities on the affected system to prevent future exploitation. +- Enhance monitoring and logging on the affected host and similar systems to detect any recurrence of the exploit or similar suspicious activities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" references = [ "https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781", @@ -71,42 +105,6 @@ sequence by host.id, process.parent.name with maxspan=1m [process where host.os.type == "linux" and process.name == "strings" and event.action in ("exec", "start", "exec_event") and process.args : "/tmp/*"] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Linux Credential Dumping via Proc Filesystem - -The /proc filesystem in Linux provides a window into the system's processes, offering details like memory usage and command-line arguments. Adversaries exploit this by using tools like mimipenguin to extract plaintext credentials from memory, leveraging vulnerabilities such as CVE-2018-20781. The detection rule identifies suspicious sequences involving the 'ps' and 'strings' commands, which are indicative of attempts to access and parse sensitive data from the /proc filesystem. - -### Possible investigation steps - -- Review the alert details to identify the specific host.id where the suspicious activity was detected, focusing on the processes involved. -- Examine the process execution history on the affected host to confirm the presence of the 'ps' and 'strings' commands executed in sequence, as indicated by the query. -- Investigate the command-line arguments used with the 'ps' and 'strings' commands to determine if they match the suspicious patterns specified in the query, such as '-eo pid command' and '/tmp/*'. -- Check for any recent modifications or suspicious files in the /tmp directory on the affected host, as this is a common location for temporary files used in attacks. -- Analyze the system logs and any available network traffic data to identify potential lateral movement or data exfiltration attempts following the credential dumping activity. -- Assess the system for any signs of compromise or additional malicious activity, such as unauthorized user accounts or unexpected network connections. -- Consider isolating the affected host from the network to prevent further credential exposure and initiate a comprehensive forensic analysis to understand the full scope of the incident. - -### False positive analysis - -- System administrators or monitoring tools may use the 'ps' and 'strings' commands for legitimate system diagnostics and performance monitoring. To mitigate this, create exceptions for known administrative scripts or tools that regularly execute these commands. -- Automated scripts for system health checks might trigger the rule if they use 'ps' and 'strings' to gather process information. Identify and whitelist these scripts by their specific command patterns or execution paths. -- Security tools that perform regular scans or audits might mimic the behavior detected by the rule. Review and exclude these tools by their process names or execution context to prevent false alerts. -- Developers or testers running debugging sessions may inadvertently trigger the rule when analyzing process memory. Establish a process to temporarily disable the rule or exclude specific user accounts during known testing periods. -- Custom monitoring solutions that log process details for analysis could match the rule's criteria. Document and exclude these solutions by their unique execution characteristics or host identifiers. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further credential exposure and potential lateral movement by the adversary. -- Terminate any suspicious processes identified by the detection rule, specifically those involving the 'ps' and 'strings' commands with the specified arguments. -- Conduct a thorough review of the affected system's process memory and logs to identify any additional unauthorized access or data exfiltration attempts. -- Change passwords for all user accounts on the affected system, prioritizing those with elevated privileges, to mitigate the risk of credential misuse. -- Apply patches and updates to address CVE-2018-20781 and any other known vulnerabilities on the affected system to prevent future exploitation. -- Enhance monitoring and logging on the affected host and similar systems to detect any recurrence of the exploit or similar suspicious activities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" [[rule.threat]] diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml new file mode 100644 index 00000000000..21acccf17e7 --- /dev/null +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -0,0 +1,119 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords +inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container +environment or facilitate a container breakout to the underlying host machine. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "Sensitive Keys Or Passwords Searched For Inside A Container" +references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] +risk_score = 47 +rule_id = "23cd4ba2-344e-41bf-bcda-655bea43fdbc" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and +process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and +process.command_line like~ ( + "*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*", "*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", + "*pass*", "*ssh*", "*user*", "*id_rsa*", "*id_dsa*" +) +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Sensitive Keys Or Passwords Searched For Inside A Container + +Containers encapsulate applications, providing isolated environments. Adversaries may exploit search utilities like grep or find to locate sensitive credentials within containers, potentially leading to unauthorized access or container escape. The detection rule identifies suspicious searches for private keys or passwords, flagging potential credential access attempts by monitoring process activities and arguments. + +### Possible investigation steps + +- Examine the process.name and process.args fields to determine the exact command executed and assess whether it aligns with typical usage patterns or indicates malicious intent. +- Check the user context under which the process was executed to understand if the activity was performed by a legitimate user or an unauthorized entity. +- Investigate the container's recent activity logs to identify any other suspicious behavior or anomalies that might correlate with the search for sensitive keys or passwords. +- Assess the potential impact by determining if any sensitive files, such as private keys or password files, were accessed or exfiltrated following the search activity. +- If possible, correlate the event with network logs to identify any outbound connections that might suggest data exfiltration attempts. + +### False positive analysis + +- Routine administrative tasks may trigger the rule when system administrators use grep or find to audit or manage SSH keys and passwords within containers. To mitigate this, create exceptions for known administrative scripts or processes that regularly perform these tasks. +- Automated backup or configuration management tools might search for sensitive files as part of their normal operation. Identify these tools and exclude their process IDs or specific command patterns from triggering the rule. +- Security scanning tools that check for the presence of sensitive files could be flagged. Whitelist these tools by their process names or arguments to prevent false positives. +- Developers or DevOps personnel might use search utilities during debugging or development processes. Establish a list of trusted users or roles and exclude their activities from the rule to reduce noise. +- Continuous integration/continuous deployment (CI/CD) pipelines may include steps that search for keys or passwords for validation purposes. Exclude these pipeline processes by identifying their unique process arguments or container IDs. + +### Response and remediation + +- Immediately isolate the affected container to prevent further unauthorized access or potential container escape to the host system. This can be done by stopping the container or disconnecting it from the network. +- Conduct a thorough review of the container's logs and process activities to identify any unauthorized access or data exfiltration attempts. Pay special attention to the processes and arguments flagged by the detection rule. +- Rotate any potentially compromised credentials, including SSH keys and passwords, that were stored or accessed within the container. Ensure that new credentials are securely stored and managed. +- Assess the container's configuration and access controls to identify and rectify any security misconfigurations that may have allowed the unauthorized search for sensitive information. +- Implement additional monitoring and alerting for similar suspicious activities across other containers and the host environment to detect and respond to potential threats promptly. +- Escalate the incident to the security operations team for further investigation and to determine if the threat has spread beyond the initial container. +- Review and update container security policies and practices to prevent recurrence, including enforcing least privilege access and using secrets management solutions to handle sensitive information securely.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 802a66e3ede..8e81a161cfe 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/01/29" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,41 @@ index = ["auditbeat-*", "logs-endpoint.events.file-*", "endgame-*", "logs-sentin language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential OpenSSH Backdoor Logging Activity + +OpenSSH is a widely used protocol for secure remote administration and file transfers. Adversaries may exploit OpenSSH by modifying its binaries to log credentials or maintain unauthorized access. The detection rule identifies suspicious file changes linked to SSH processes, focusing on unusual file names, extensions, and paths indicative of backdoor activity, thus helping to uncover potential security breaches. + +### Possible investigation steps + +- Review the file change event details to identify the specific file name, extension, and path involved in the alert. Pay particular attention to unusual file names or extensions and paths listed in the query, such as "/usr/lib/*.so.*" or "/private/etc/ssh/.sshd_auth". +- Examine the process executable that triggered the alert, either "/usr/sbin/sshd" or "/usr/bin/ssh", to determine if it has been modified or replaced. Check the integrity of these binaries using hash comparisons against known good versions. +- Investigate the user account associated with the process that made the file change. Determine if the account has a history of suspicious activity or if it has been compromised. +- Check for any recent or unusual login attempts or sessions related to the SSH service on the host. Look for patterns that might indicate unauthorized access or credential harvesting. +- Analyze system logs, such as auth.log or secure.log, for any anomalies or entries that coincide with the time of the file change event. This can provide additional context or evidence of malicious activity. +- If a backdoor is suspected, consider isolating the affected system from the network to prevent further unauthorized access and begin remediation efforts, such as restoring from a clean backup or reinstalling the affected services. + +### False positive analysis + +- Routine system updates or package installations may trigger file changes in SSH-related directories. Users can create exceptions for known update processes to prevent false alerts. +- Custom scripts or administrative tasks that modify SSH configuration files for legitimate purposes might be flagged. Users should whitelist these scripts or processes if they are verified as non-malicious. +- Backup or synchronization tools that create temporary files with unusual extensions or names in SSH directories can cause false positives. Exclude these tools from monitoring if they are part of regular operations. +- Development or testing environments where SSH binaries are frequently modified for testing purposes may generate alerts. Implement exclusions for these environments to reduce noise. +- Automated configuration management tools like Ansible or Puppet that modify SSH settings as part of their operations can be excluded if they are part of authorized workflows. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious SSH processes identified in the alert to halt potential backdoor activity. +- Conduct a thorough review of the modified files and binaries, particularly those listed in the query, to assess the extent of the compromise and identify any malicious code or unauthorized changes. +- Restore affected files and binaries from a known good backup to ensure system integrity and remove any backdoor modifications. +- Change all SSH credentials and keys associated with the compromised system to prevent unauthorized access using potentially logged credentials. +- Implement additional monitoring on the affected system and network for any signs of persistence or further malicious activity, focusing on the paths and file types highlighted in the detection query. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected, ensuring a coordinated response to the threat.""" references = [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", @@ -112,41 +145,6 @@ file where host.os.type == "linux" and event.type == "change" and process.execut ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential OpenSSH Backdoor Logging Activity - -OpenSSH is a widely used protocol for secure remote administration and file transfers. Adversaries may exploit OpenSSH by modifying its binaries to log credentials or maintain unauthorized access. The detection rule identifies suspicious file changes linked to SSH processes, focusing on unusual file names, extensions, and paths indicative of backdoor activity, thus helping to uncover potential security breaches. - -### Possible investigation steps - -- Review the file change event details to identify the specific file name, extension, and path involved in the alert. Pay particular attention to unusual file names or extensions and paths listed in the query, such as "/usr/lib/*.so.*" or "/private/etc/ssh/.sshd_auth". -- Examine the process executable that triggered the alert, either "/usr/sbin/sshd" or "/usr/bin/ssh", to determine if it has been modified or replaced. Check the integrity of these binaries using hash comparisons against known good versions. -- Investigate the user account associated with the process that made the file change. Determine if the account has a history of suspicious activity or if it has been compromised. -- Check for any recent or unusual login attempts or sessions related to the SSH service on the host. Look for patterns that might indicate unauthorized access or credential harvesting. -- Analyze system logs, such as auth.log or secure.log, for any anomalies or entries that coincide with the time of the file change event. This can provide additional context or evidence of malicious activity. -- If a backdoor is suspected, consider isolating the affected system from the network to prevent further unauthorized access and begin remediation efforts, such as restoring from a clean backup or reinstalling the affected services. - -### False positive analysis - -- Routine system updates or package installations may trigger file changes in SSH-related directories. Users can create exceptions for known update processes to prevent false alerts. -- Custom scripts or administrative tasks that modify SSH configuration files for legitimate purposes might be flagged. Users should whitelist these scripts or processes if they are verified as non-malicious. -- Backup or synchronization tools that create temporary files with unusual extensions or names in SSH directories can cause false positives. Exclude these tools from monitoring if they are part of regular operations. -- Development or testing environments where SSH binaries are frequently modified for testing purposes may generate alerts. Implement exclusions for these environments to reduce noise. -- Automated configuration management tools like Ansible or Puppet that modify SSH settings as part of their operations can be excluded if they are part of authorized workflows. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious SSH processes identified in the alert to halt potential backdoor activity. -- Conduct a thorough review of the modified files and binaries, particularly those listed in the query, to assess the extent of the compromise and identify any malicious code or unauthorized changes. -- Restore affected files and binaries from a known good backup to ensure system integrity and remove any backdoor modifications. -- Change all SSH credentials and keys associated with the compromised system to prevent unauthorized access using potentially logged credentials. -- Implement additional monitoring on the affected system and network for any signs of persistence or further malicious activity, focusing on the paths and file types highlighted in the detection query. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected, ensuring a coordinated response to the threat.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml index 5d28c2abd93..8ca35ddc450 100644 --- a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml +++ b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml @@ -2,48 +2,23 @@ creation_date = "2024/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] -description = """ -This rule detects Linux Access Control List (ACL) modification via the setfacl command. -""" +description = "This rule detects Linux Access Control List (ACL) modification via the setfacl command.\n" from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Access Control List Modification via setfacl" -references = ["https://www.uptycs.com/blog/threat-research-report-team/evasive-techniques-used-by-malicious-linux-shell-scripts"] -risk_score = 21 -rule_id = "999565a2-fc52-4d72-91e4-ba6712c0377e" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and -process.name == "setfacl" and not ( - process.command_line == "/bin/setfacl --restore=-" or - process.args == "/var/log/journal/" or - process.parent.name in ("stats.pl", "perl", "find") or - process.parent.command_line like~ "/bin/sh -c *ansible*" -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,21 +52,54 @@ Access Control Lists (ACLs) in Linux enhance file permission management by allow - Update and patch the system to address any vulnerabilities that may have been exploited to gain access. - Implement stricter access controls and monitoring on critical systems to detect and prevent unauthorized ACL modifications in the future. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://www.uptycs.com/blog/threat-research-report-team/evasive-techniques-used-by-malicious-linux-shell-scripts", +] +risk_score = 21 +rule_id = "999565a2-fc52-4d72-91e4-ba6712c0377e" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "setfacl" and not ( + process.command_line == "/bin/setfacl --restore=-" or + process.args == "/var/log/journal/" or + process.parent.name in ("stats.pl", "perl", "find") or + process.parent.command_line like~ "/bin/sh -c *ansible*" +) +''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index ae6348cef81..c3587dda471 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -2,22 +2,58 @@ creation_date = "2024/08/28" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Adversaries may attempt to disable the Auditd service to evade detection. Auditd is a Linux service that -provides system auditing and logging. Disabling the Auditd service can prevent the system from logging important -security events, which can be used to detect malicious activity. +Adversaries may attempt to disable the Auditd service to evade detection. Auditd is a Linux service that provides system +auditing and logging. Disabling the Auditd service can prevent the system from logging important security events, which +can be used to detect malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Attempt to Disable Auditd Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Attempt to Disable Auditd Service + +Auditd is a critical Linux service responsible for system auditing and logging, capturing security-relevant events. Adversaries may target this service to evade detection by disabling it, thus preventing the logging of their activities. The detection rule identifies suspicious processes attempting to stop or disable Auditd, such as using commands like `service stop` or `systemctl disable`, signaling potential defense evasion tactics. + +### Possible investigation steps + +- Review the process details to identify the user account associated with the suspicious command execution, focusing on the process fields such as process.name and process.args. +- Check the system logs for any preceding or subsequent suspicious activities around the time of the alert, particularly looking for other defense evasion tactics or unauthorized access attempts. +- Investigate the command history of the user identified to determine if there are any other unauthorized or suspicious commands executed. +- Verify the current status of the Auditd service on the affected host to ensure it is running and properly configured. +- Correlate the alert with any other security events or alerts from the same host or user to identify potential patterns or broader attack campaigns. + +### False positive analysis + +- System administrators may intentionally stop or disable the Auditd service during maintenance or troubleshooting. To handle this, create exceptions for known maintenance windows or specific administrator accounts. +- Automated scripts or configuration management tools might stop or disable Auditd as part of routine system updates or deployments. Identify these scripts and whitelist their activities to prevent false alerts. +- Some Linux distributions or custom setups might have alternative methods for managing services that could trigger this rule. Review and adjust the detection criteria to align with the specific service management practices of your environment. +- In environments where Auditd is not used or is replaced by another logging service, the rule might trigger unnecessarily. Consider disabling the rule or adjusting its scope in such cases. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and potential lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert that are attempting to disable the Auditd service to stop the adversary's actions. +- Re-enable and restart the Auditd service on the affected system to ensure that auditing and logging are resumed, capturing any further suspicious activities. +- Conduct a thorough review of the system logs and audit records to identify any unauthorized changes or additional indicators of compromise that may have occurred prior to the alert. +- Apply any necessary security patches or updates to the affected system to address vulnerabilities that may have been exploited by the adversary. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. +- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable critical security services.""" risk_score = 21 rule_id = "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf" setup = """## Setup @@ -59,6 +95,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and ( (process.name == "service" and process.args == "stop") or @@ -68,54 +105,23 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.args in ("auditd", "auditd.service") and not process.parent.name == "auditd.prerm" ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Attempt to Disable Auditd Service - -Auditd is a critical Linux service responsible for system auditing and logging, capturing security-relevant events. Adversaries may target this service to evade detection by disabling it, thus preventing the logging of their activities. The detection rule identifies suspicious processes attempting to stop or disable Auditd, such as using commands like `service stop` or `systemctl disable`, signaling potential defense evasion tactics. - -### Possible investigation steps - -- Review the process details to identify the user account associated with the suspicious command execution, focusing on the process fields such as process.name and process.args. -- Check the system logs for any preceding or subsequent suspicious activities around the time of the alert, particularly looking for other defense evasion tactics or unauthorized access attempts. -- Investigate the command history of the user identified to determine if there are any other unauthorized or suspicious commands executed. -- Verify the current status of the Auditd service on the affected host to ensure it is running and properly configured. -- Correlate the alert with any other security events or alerts from the same host or user to identify potential patterns or broader attack campaigns. - -### False positive analysis - -- System administrators may intentionally stop or disable the Auditd service during maintenance or troubleshooting. To handle this, create exceptions for known maintenance windows or specific administrator accounts. -- Automated scripts or configuration management tools might stop or disable Auditd as part of routine system updates or deployments. Identify these scripts and whitelist their activities to prevent false alerts. -- Some Linux distributions or custom setups might have alternative methods for managing services that could trigger this rule. Review and adjust the detection criteria to align with the specific service management practices of your environment. -- In environments where Auditd is not used or is replaced by another logging service, the rule might trigger unnecessarily. Consider disabling the rule or adjusting its scope in such cases. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and potential lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert that are attempting to disable the Auditd service to stop the adversary's actions. -- Re-enable and restart the Auditd service on the affected system to ensure that auditing and logging are resumed, capturing any further suspicious activities. -- Conduct a thorough review of the system logs and audit records to identify any unauthorized changes or additional indicators of compromise that may have occurred prior to the alert. -- Apply any necessary security patches or updates to the affected system to address vulnerabilities that may have been exploited by the adversary. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. -- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable critical security services.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 024008d82c8..330d65b308c 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Attempt to Disable IPTables or Firewall + +Firewalls like IPTables on Linux systems are crucial for controlling network traffic and protecting against unauthorized access. Adversaries may attempt to disable these firewalls to bypass security measures and facilitate malicious activities. The detection rule identifies suspicious processes that attempt to disable or stop firewall services, such as using commands to flush IPTables rules or halt firewall services, indicating potential defense evasion tactics. + +### Possible investigation steps + +- Review the process details, including process.name and process.args, to confirm if the command was intended to disable or stop firewall services. +- Check the process.parent.args to understand the context in which the suspicious process was executed, especially if it was triggered by a parent process with arguments like "force-stop". +- Investigate the user account associated with the process execution to determine if it was an authorized user or potentially compromised. +- Examine the host's recent activity logs for any other suspicious behavior or anomalies around the time of the alert, focusing on event.type "start" and event.action "exec" or "exec_event". +- Assess the network traffic logs to identify any unusual inbound or outbound connections that might have occurred after the firewall was disabled or stopped. +- Correlate this event with other alerts or incidents involving the same host or user to identify potential patterns or coordinated attack attempts. + +### False positive analysis + +- Routine system maintenance or updates may trigger the rule when legitimate processes like systemctl or service are used to stop or restart firewall services. To manage this, create exceptions for known maintenance scripts or scheduled tasks that perform these actions. +- Network troubleshooting activities often involve temporarily disabling firewalls to diagnose connectivity issues. Users can exclude specific user accounts or IP addresses associated with network administrators from triggering the rule during these activities. +- Automated deployment scripts that configure or reconfigure firewall settings might match the rule's criteria. Identify and whitelist these scripts by their process names or execution paths to prevent false positives. +- Security software updates or installations may require temporary firewall adjustments, which could be flagged by the rule. Consider excluding processes associated with trusted security software vendors during update windows. +- Development or testing environments often have different security requirements, leading to frequent firewall changes. Implement environment-specific exceptions to avoid false positives in these contexts. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or potential lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert, such as those attempting to disable or stop firewall services, to halt ongoing malicious activities. +- Review and restore the firewall configurations to their last known good state to ensure that network traffic is properly controlled and unauthorized access is blocked. +- Conduct a thorough examination of the affected system for any signs of compromise or additional malicious activity, focusing on logs and system changes around the time of the alert. +- Escalate the incident to the security operations team for further analysis and to determine if the threat is part of a larger attack campaign. +- Implement additional monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable firewall services promptly. +- Review and update firewall policies and configurations to enhance security measures and prevent similar defense evasion tactics in the future.""" references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 21 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" @@ -78,41 +111,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Attempt to Disable IPTables or Firewall - -Firewalls like IPTables on Linux systems are crucial for controlling network traffic and protecting against unauthorized access. Adversaries may attempt to disable these firewalls to bypass security measures and facilitate malicious activities. The detection rule identifies suspicious processes that attempt to disable or stop firewall services, such as using commands to flush IPTables rules or halt firewall services, indicating potential defense evasion tactics. - -### Possible investigation steps - -- Review the process details, including process.name and process.args, to confirm if the command was intended to disable or stop firewall services. -- Check the process.parent.args to understand the context in which the suspicious process was executed, especially if it was triggered by a parent process with arguments like "force-stop". -- Investigate the user account associated with the process execution to determine if it was an authorized user or potentially compromised. -- Examine the host's recent activity logs for any other suspicious behavior or anomalies around the time of the alert, focusing on event.type "start" and event.action "exec" or "exec_event". -- Assess the network traffic logs to identify any unusual inbound or outbound connections that might have occurred after the firewall was disabled or stopped. -- Correlate this event with other alerts or incidents involving the same host or user to identify potential patterns or coordinated attack attempts. - -### False positive analysis - -- Routine system maintenance or updates may trigger the rule when legitimate processes like systemctl or service are used to stop or restart firewall services. To manage this, create exceptions for known maintenance scripts or scheduled tasks that perform these actions. -- Network troubleshooting activities often involve temporarily disabling firewalls to diagnose connectivity issues. Users can exclude specific user accounts or IP addresses associated with network administrators from triggering the rule during these activities. -- Automated deployment scripts that configure or reconfigure firewall settings might match the rule's criteria. Identify and whitelist these scripts by their process names or execution paths to prevent false positives. -- Security software updates or installations may require temporary firewall adjustments, which could be flagged by the rule. Consider excluding processes associated with trusted security software vendors during update windows. -- Development or testing environments often have different security requirements, leading to frequent firewall changes. Implement environment-specific exceptions to avoid false positives in these contexts. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or potential lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert, such as those attempting to disable or stop firewall services, to halt ongoing malicious activities. -- Review and restore the firewall configurations to their last known good state to ensure that network traffic is properly controlled and unauthorized access is blocked. -- Conduct a thorough examination of the affected system for any signs of compromise or additional malicious activity, focusing on logs and system changes around the time of the alert. -- Escalate the incident to the security operations team for further analysis and to determine if the threat is part of a larger attack campaign. -- Implement additional monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable firewall services promptly. -- Review and update firewall policies and configurations to enhance security measures and prevent similar defense evasion tactics in the future.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index b8eb9f0e226..aadb19c4e63 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,50 @@ Adversaries may attempt to disable the syslog service in an attempt to an attemp detection by security controls. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Attempt to Disable Syslog Service + +Syslog is a critical component in Linux environments, responsible for logging system events and activities. Adversaries may target syslog to disable logging, thereby evading detection and obscuring their malicious actions. The detection rule identifies attempts to stop or disable syslog services by monitoring specific process actions and arguments, flagging suspicious commands that could indicate an attempt to impair logging defenses. + +### Possible investigation steps + +- Review the process details to identify the user account associated with the command execution, focusing on the process.name and process.args fields to determine if the action was legitimate or suspicious. +- Check the system's recent login history and user activity to identify any unauthorized access attempts or anomalies around the time the syslog service was targeted. +- Investigate the parent process of the flagged command to understand the context of its execution and determine if it was initiated by a legitimate application or script. +- Examine other logs and alerts from the same host around the time of the event to identify any correlated suspicious activities or patterns that might indicate a broader attack. +- Assess the system for any signs of compromise, such as unexpected changes in configuration files, unauthorized software installations, or unusual network connections, to determine if the attempt to disable syslog is part of a larger attack. + +### False positive analysis + +- Routine maintenance activities may trigger this rule, such as scheduled service restarts or system updates. To manage this, create exceptions for known maintenance windows or specific administrative accounts performing these tasks. +- Automated scripts or configuration management tools like Ansible or Puppet might stop or disable syslog services as part of their operations. Identify these scripts and whitelist their execution paths or associated user accounts. +- Testing environments often simulate service disruptions, including syslog, for resilience testing. Exclude these environments from the rule or adjust the rule to ignore specific test-related processes. +- Some legitimate software installations or updates may require stopping syslog services temporarily. Monitor installation logs and exclude these processes if they are verified as non-threatening. +- In environments with multiple syslog implementations, ensure that the rule is not overly broad by refining the process arguments to match only the specific syslog services in use. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and potential lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert, specifically those attempting to stop or disable syslog services, to restore normal logging functionality. +- Restart the syslog service on the affected system to ensure that logging is re-enabled and operational, using commands like `systemctl start syslog` or `service syslog start`. +- Conduct a thorough review of recent logs, if available, to identify any additional suspicious activities or indicators of compromise that may have occurred prior to the syslog service being disabled. +- Escalate the incident to the security operations team for further investigation and to determine if the attack is part of a larger campaign or if other systems are affected. +- Implement additional monitoring on the affected system and similar systems to detect any further attempts to disable logging services, using enhanced logging and alerting mechanisms. +- Review and update access controls and permissions to ensure that only authorized personnel have the ability to modify or stop critical services like syslog, reducing the risk of future incidents.""" references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" @@ -80,40 +118,6 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event", ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and not process.parent.name == "rsyslog-rotate" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Attempt to Disable Syslog Service - -Syslog is a critical component in Linux environments, responsible for logging system events and activities. Adversaries may target syslog to disable logging, thereby evading detection and obscuring their malicious actions. The detection rule identifies attempts to stop or disable syslog services by monitoring specific process actions and arguments, flagging suspicious commands that could indicate an attempt to impair logging defenses. - -### Possible investigation steps - -- Review the process details to identify the user account associated with the command execution, focusing on the process.name and process.args fields to determine if the action was legitimate or suspicious. -- Check the system's recent login history and user activity to identify any unauthorized access attempts or anomalies around the time the syslog service was targeted. -- Investigate the parent process of the flagged command to understand the context of its execution and determine if it was initiated by a legitimate application or script. -- Examine other logs and alerts from the same host around the time of the event to identify any correlated suspicious activities or patterns that might indicate a broader attack. -- Assess the system for any signs of compromise, such as unexpected changes in configuration files, unauthorized software installations, or unusual network connections, to determine if the attempt to disable syslog is part of a larger attack. - -### False positive analysis - -- Routine maintenance activities may trigger this rule, such as scheduled service restarts or system updates. To manage this, create exceptions for known maintenance windows or specific administrative accounts performing these tasks. -- Automated scripts or configuration management tools like Ansible or Puppet might stop or disable syslog services as part of their operations. Identify these scripts and whitelist their execution paths or associated user accounts. -- Testing environments often simulate service disruptions, including syslog, for resilience testing. Exclude these environments from the rule or adjust the rule to ignore specific test-related processes. -- Some legitimate software installations or updates may require stopping syslog services temporarily. Monitor installation logs and exclude these processes if they are verified as non-threatening. -- In environments with multiple syslog implementations, ensure that the rule is not overly broad by refining the process arguments to match only the specific syslog services in use. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and potential lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert, specifically those attempting to stop or disable syslog services, to restore normal logging functionality. -- Restart the syslog service on the affected system to ensure that logging is re-enabled and operational, using commands like `systemctl start syslog` or `service syslog start`. -- Conduct a thorough review of recent logs, if available, to identify any additional suspicious activities or indicators of compromise that may have occurred prior to the syslog service being disabled. -- Escalate the incident to the security operations team for further investigation and to determine if the attack is part of a larger campaign or if other systems are affected. -- Implement additional monitoring on the affected system and similar systems to detect any further attempts to disable logging services, using enhanced logging and alerting mechanisms. -- Review and update access controls and permissions to ensure that only authorized personnel have the ability to modify or stop critical services like syslog, reducing the risk of future incidents.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml index e8d4b08fe06..b75176fef92 100644 --- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/05/15" [rule] author = ["Elastic"] @@ -12,10 +12,46 @@ are used to store public keys for SSH authentication. Unauthorized deletion of t of an attacker removing access to the system, and may be a precursor to further malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "SSH Authorized Keys File Deletion" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SSH Authorized Keys File Deletion + +SSH authorized keys files are crucial for secure, password-less authentication on Linux systems, storing public keys that grant access. Adversaries may delete these files to disrupt legitimate access or cover their tracks. The detection rule identifies unauthorized deletions by monitoring file removal events, excluding benign processes, thus highlighting potential defense evasion tactics. + +### Possible investigation steps + +- Review the alert details to identify the specific file name (authorized_keys or authorized_keys2) and the host where the deletion occurred. +- Examine the process that triggered the deletion event, focusing on the process.executable field to determine if it is a known benign process or potentially malicious. +- Check the user account associated with the process that deleted the file to assess if it is a legitimate user or potentially compromised. +- Investigate recent login attempts and SSH access logs on the affected host to identify any unauthorized access or anomalies around the time of the file deletion. +- Look for any other suspicious activities or alerts on the same host that might indicate a broader attack or compromise, such as other file deletions or modifications. +- Assess the impact of the deletion by determining if legitimate access was disrupted and if any critical operations were affected. + +### False positive analysis + +- Routine system maintenance or updates may trigger deletions of authorized_keys files. To handle this, identify and exclude processes related to scheduled maintenance tasks from the detection rule. +- Automated configuration management tools like Ansible or Puppet might remove and recreate authorized_keys files as part of their operations. Consider excluding these tools' processes if they are verified as non-threatening. +- Cloud service agents, such as those from Google Cloud, may modify SSH keys as part of their operations. Ensure that processes like /usr/bin/google_guest_agent are excluded to prevent false positives. +- Container management services like Docker and containerd might interact with SSH keys during container lifecycle events. Exclude these processes if they are part of legitimate container operations. +- Custom scripts or applications that manage SSH keys for legitimate purposes should be reviewed and, if necessary, added to the exclusion list to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the attacker. +- Verify the integrity of the SSH configuration and authorized keys files on the affected system. Restore the deleted authorized_keys or authorized_keys2 files from a secure backup if available. +- Conduct a thorough review of recent user and process activity on the affected system to identify any unauthorized access or suspicious behavior that may have led to the deletion. +- Change SSH keys and credentials for all users on the affected system to prevent unauthorized access using potentially compromised keys. +- Implement additional monitoring on the affected system to detect any further unauthorized file deletions or suspicious activities, ensuring that alerts are configured for immediate response. +- Escalate the incident to the security operations team for further investigation and to determine if the attack is part of a larger campaign targeting the organization. +- Review and update access controls and permissions on the affected system to ensure that only authorized users and processes can modify critical files like authorized_keys. +""" risk_score = 21 rule_id = "3c216ace-2633-4911-9aac-b61d4dc320e8" setup = """## Setup @@ -50,6 +86,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 613f65a3b6d..53fe306644f 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,10 +14,52 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Base16 or Base32 Encoding/Decoding Activity + +Base16 and Base32 are encoding schemes used to convert binary data into text, facilitating data transmission and storage. Adversaries exploit these encodings to obfuscate malicious payloads, evading detection by security systems. The detection rule identifies suspicious encoding/decoding activities on Linux systems by monitoring specific processes and actions, excluding benign uses like help or version checks. + +### Possible investigation steps + +- Review the process name and arguments to confirm if the activity is related to encoding/decoding using base16 or base32, ensuring it is not a benign use case like help or version checks. +- Examine the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Check the parent process of the encoding/decoding activity to identify if it was initiated by a legitimate application or a potentially malicious script or program. +- Investigate the timing and frequency of the encoding/decoding events to assess if they coincide with other suspicious activities or known attack patterns. +- Correlate the event with network activity logs to see if there is any data exfiltration attempt or communication with known malicious IP addresses or domains. +- Look into any recent changes or anomalies in the system that might indicate a compromise, such as unauthorized file modifications or new user accounts. + +### False positive analysis + +- Routine administrative tasks may trigger the rule if administrators use base16 or base32 commands for legitimate data encoding or decoding. To manage this, create exceptions for specific user accounts or scripts known to perform these tasks regularly. +- Automated backup or data transfer processes might use base16 or base32 encoding as part of their operations. Identify these processes and exclude them by specifying their unique process arguments or execution paths. +- Development and testing environments often involve encoding and decoding operations for debugging or data manipulation. Exclude these environments by filtering based on hostnames or IP addresses associated with non-production systems. +- Security tools or scripts that perform regular encoding checks for data integrity or compliance purposes can also trigger false positives. Whitelist these tools by their process names or execution contexts to prevent unnecessary alerts. +- Educational or research activities involving encoding techniques may inadvertently match the rule criteria. Consider excluding known educational user groups or specific research project identifiers to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the adversary. +- Terminate any suspicious processes identified by the detection rule, specifically those involving base16 or base32 encoding/decoding without benign arguments. +- Conduct a thorough review of recent system logs and process execution history to identify any additional suspicious activities or related processes. +- Remove any malicious files or payloads that have been identified as part of the encoding/decoding activity. +- Restore any affected files or systems from known good backups to ensure system integrity and data accuracy. +- Update and patch the affected system to close any vulnerabilities that may have been exploited by the adversary. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" setup = """## Setup @@ -81,41 +121,6 @@ process where host.os.type == "linux" and event.type == "start" and process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Base16 or Base32 Encoding/Decoding Activity - -Base16 and Base32 are encoding schemes used to convert binary data into text, facilitating data transmission and storage. Adversaries exploit these encodings to obfuscate malicious payloads, evading detection by security systems. The detection rule identifies suspicious encoding/decoding activities on Linux systems by monitoring specific processes and actions, excluding benign uses like help or version checks. - -### Possible investigation steps - -- Review the process name and arguments to confirm if the activity is related to encoding/decoding using base16 or base32, ensuring it is not a benign use case like help or version checks. -- Examine the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Check the parent process of the encoding/decoding activity to identify if it was initiated by a legitimate application or a potentially malicious script or program. -- Investigate the timing and frequency of the encoding/decoding events to assess if they coincide with other suspicious activities or known attack patterns. -- Correlate the event with network activity logs to see if there is any data exfiltration attempt or communication with known malicious IP addresses or domains. -- Look into any recent changes or anomalies in the system that might indicate a compromise, such as unauthorized file modifications or new user accounts. - -### False positive analysis - -- Routine administrative tasks may trigger the rule if administrators use base16 or base32 commands for legitimate data encoding or decoding. To manage this, create exceptions for specific user accounts or scripts known to perform these tasks regularly. -- Automated backup or data transfer processes might use base16 or base32 encoding as part of their operations. Identify these processes and exclude them by specifying their unique process arguments or execution paths. -- Development and testing environments often involve encoding and decoding operations for debugging or data manipulation. Exclude these environments by filtering based on hostnames or IP addresses associated with non-production systems. -- Security tools or scripts that perform regular encoding checks for data integrity or compliance purposes can also trigger false positives. Whitelist these tools by their process names or execution contexts to prevent unnecessary alerts. -- Educational or research activities involving encoding techniques may inadvertently match the rule criteria. Consider excluding known educational user groups or specific research project identifiers to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the adversary. -- Terminate any suspicious processes identified by the detection rule, specifically those involving base16 or base32 encoding/decoding without benign arguments. -- Conduct a thorough review of recent system logs and process execution history to identify any additional suspicious activities or related processes. -- Remove any malicious files or payloads that have been identified as part of the encoding/decoding activity. -- Restore any affected files or systems from known good backups to ensure system integrity and data accuracy. -- Update and patch the affected system to close any vulnerabilities that may have been exploited by the adversary. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index 68feb42e0ef..291b5e6340c 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,23 +2,57 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule leverages ES|QL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may -use base64 encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade -detection by host- or network-based security controls. ES|QL rules have limited fields available in its alert -documents. Make sure to review the original documents to aid in the investigation of this alert. +This rule leverages ES|QL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64 +encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or +network-based security controls. ES|QL rules have limited fields available in its alert documents. Make sure to review +the original documents to aid in the investigation of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "Unusual Base64 Encoding/Decoding Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Base64 Encoding/Decoding Activity +Base64 encoding is a method to convert binary data into ASCII text, often used for data transmission. Adversaries exploit this to obfuscate malicious payloads or commands, bypassing security controls. The detection rule identifies suspicious Base64 activity on Linux by monitoring specific processes and command patterns, flagging anomalies for further investigation. + +### Possible investigation steps + +- Review the process name and command line arguments to understand the context of the Base64 activity. Check if the process name matches known legitimate applications or scripts. +- Examine the timestamp of the event to determine if the activity occurred during normal operational hours or if it coincides with other suspicious activities. +- Investigate the host operating system type and agent ID to identify the specific Linux system involved and assess if it has a history of similar alerts or other security incidents. +- Analyze the process command line for any unusual patterns or parameters that might indicate obfuscation or malicious intent, such as the presence of decode flags or unexpected Base64 operations. +- Correlate the event with other logs or alerts from the same host or network to identify potential lateral movement or coordinated attacks. +- Check for any recent changes or deployments on the affected system that might explain the Base64 activity, such as new software installations or updates. +- Consult threat intelligence sources to determine if the observed Base64 patterns or command line arguments are associated with known malware or attack techniques. + +### False positive analysis + +- Routine administrative scripts may use base64 encoding for legitimate data processing tasks. Review the process.command_line and process.args fields to identify known scripts and consider excluding them from the rule. +- Backup or data transfer operations might employ base64 encoding to handle binary data. Verify the process.name and process.command_line to ensure these operations are recognized and add exceptions for these specific processes. +- Development environments often use base64 encoding for testing purposes. Identify development-related processes by examining the process.name and process.command_line and exclude them if they are part of regular development activities. +- Automated system monitoring tools might trigger this rule if they use base64 encoding for log or data analysis. Check the agent.id and process.command_line to confirm these tools and exclude them from the rule if they are verified as non-threatening. +- Security tools that perform data encoding for analysis or reporting could be flagged. Validate these tools by reviewing the process.name and process.command_line and create exceptions for them if they are part of the security infrastructure. + +### Response and remediation + +- Isolate the affected Linux system from the network to prevent further data exfiltration or lateral movement by the adversary. +- Terminate any suspicious processes identified by the alert, particularly those involving base64 encoding/decoding, to halt potential malicious activity. +- Conduct a thorough review of the process command lines and arguments flagged by the alert to identify any malicious scripts or payloads. Remove or quarantine these files as necessary. +- Check for any unauthorized user accounts or privilege escalations that may have been established during the attack and revoke access immediately. +- Restore any affected systems or files from a known good backup to ensure the integrity of the system and data. +- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the suspicious base64 activity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts exist. +""" risk_score = 21 rule_id = "c5637438-e32d-4bb3-bc13-bd7932b3289f" setup = """## Setup @@ -54,12 +88,14 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.process-* -| keep @timestamp, host.os.type, event.type, event.action, process.name, process.args, process.command_line, agent.id +| keep @timestamp, host.os.type, event.type, event.action, process.name, process.args, process.command_line, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and process.command_line like "*-*d*") or @@ -71,54 +107,55 @@ from logs-endpoint.events.process-* (process.name like "perl*" and process.command_line like "*decode_base64*") or (process.name like "ruby*" and process.args == "-e" and process.command_line like "*Base64.decode64*") ) -| stats cc = count(), agent_count = count_distinct(agent.id) by process.name, process.command_line +| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.name, process.command_line | where agent_count == 1 and cc < 15 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" - - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 405cf25b306..acae70f730b 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,6 +18,40 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "File made Immutable by Chattr" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File made Immutable by Chattr + +The `chattr` command in Linux is used to change file attributes, including making files immutable, which prevents modifications or deletions. Adversaries exploit this to secure malicious files or altered system files against tampering, aiding persistence. The detection rule identifies suspicious use of `chattr` by monitoring process executions, filtering out benign parent processes, and focusing on those altering immutability attributes, thus highlighting potential misuse. + +### Possible investigation steps + +- Review the process execution details to confirm the use of the chattr command with arguments altering immutability, specifically looking for "+i" or "-i" in process.args. +- Identify the file(s) targeted by the chattr command to determine if they are critical system files or files commonly targeted by threat actors, such as .ssh or /etc/passwd. +- Investigate the parent process of the chattr execution by examining process.parent.executable and process.parent.name to determine if it is a known benign process or potentially malicious. +- Check the user context under which the chattr command was executed to assess if it aligns with expected administrative activity or if it indicates unauthorized access. +- Correlate the event with other security alerts or logs to identify any related suspicious activities, such as unauthorized access attempts or changes to other system files. +- Evaluate the risk and impact of the immutable file(s) on system operations and security posture, considering the potential for persistence or defense evasion by threat actors. + +### False positive analysis + +- System processes like systemd and cf-agent may invoke chattr for legitimate reasons, such as system maintenance or configuration management. To handle these, exclude these processes by adding them to the exception list in the detection rule. +- Scheduled tasks or scripts that use chattr to manage file attributes for security or operational purposes can trigger false positives. Identify these tasks and exclude their parent processes from the rule. +- Administrative actions performed by authorized users, such as securing configuration files, might be flagged. Regularly review and update the list of known benign parent processes to prevent unnecessary alerts. +- Security tools or agents that modify file attributes as part of their protection mechanisms can cause false positives. Ensure these tools are recognized and excluded by their executable paths or parent process names. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Identify and terminate any malicious processes associated with the `chattr` command to stop further unauthorized file modifications. +- Restore the affected files from a known good backup, ensuring that any immutable attributes set by the attacker are removed. +- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred. +- Implement file integrity monitoring to detect unauthorized changes to critical system files, enhancing detection capabilities for similar threats. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. +- Review and update security policies and configurations to prevent unauthorized use of the `chattr` command, such as restricting its execution to trusted administrators only.""" risk_score = 47 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" setup = """## Setup @@ -75,6 +107,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not ( @@ -85,55 +118,23 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n ) ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating File made Immutable by Chattr - -The `chattr` command in Linux is used to change file attributes, including making files immutable, which prevents modifications or deletions. Adversaries exploit this to secure malicious files or altered system files against tampering, aiding persistence. The detection rule identifies suspicious use of `chattr` by monitoring process executions, filtering out benign parent processes, and focusing on those altering immutability attributes, thus highlighting potential misuse. - -### Possible investigation steps - -- Review the process execution details to confirm the use of the chattr command with arguments altering immutability, specifically looking for "+i" or "-i" in process.args. -- Identify the file(s) targeted by the chattr command to determine if they are critical system files or files commonly targeted by threat actors, such as .ssh or /etc/passwd. -- Investigate the parent process of the chattr execution by examining process.parent.executable and process.parent.name to determine if it is a known benign process or potentially malicious. -- Check the user context under which the chattr command was executed to assess if it aligns with expected administrative activity or if it indicates unauthorized access. -- Correlate the event with other security alerts or logs to identify any related suspicious activities, such as unauthorized access attempts or changes to other system files. -- Evaluate the risk and impact of the immutable file(s) on system operations and security posture, considering the potential for persistence or defense evasion by threat actors. - -### False positive analysis - -- System processes like systemd and cf-agent may invoke chattr for legitimate reasons, such as system maintenance or configuration management. To handle these, exclude these processes by adding them to the exception list in the detection rule. -- Scheduled tasks or scripts that use chattr to manage file attributes for security or operational purposes can trigger false positives. Identify these tasks and exclude their parent processes from the rule. -- Administrative actions performed by authorized users, such as securing configuration files, might be flagged. Regularly review and update the list of known benign parent processes to prevent unnecessary alerts. -- Security tools or agents that modify file attributes as part of their protection mechanisms can cause false positives. Ensure these tools are recognized and excluded by their executable paths or parent process names. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Identify and terminate any malicious processes associated with the `chattr` command to stop further unauthorized file modifications. -- Restore the affected files from a known good backup, ensuring that any immutable attributes set by the attacker are removed. -- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred. -- Implement file integrity monitoring to detect unauthorized changes to critical system files, enhancing detection capabilities for similar threats. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. -- Review and update security policies and configurations to prevent unauthorized use of the `chattr` command, such as restricting its execution to trusted administrators only.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 9e4dc7450cc..35ce6af280c 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,50 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack to evade detection after installing a Linux kernel module (LKM). """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Attempt to Clear Kernel Ring Buffer" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Attempt to Clear Kernel Ring Buffer + +The kernel ring buffer logs system messages, crucial for diagnosing issues. Adversaries may clear these logs using the `dmesg -c` command to hide traces of malicious activities, such as installing unauthorized kernel modules. The detection rule identifies this behavior by monitoring the execution of `dmesg` with specific arguments, flagging potential evasion attempts for further investigation. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the `dmesg -c` command, focusing on the process name and arguments to ensure the alert is valid. +- Investigate the user account associated with the execution of the `dmesg -c` command to determine if it is a known and authorized user or potentially compromised. +- Check for any recent installations or modifications of Linux kernel modules (LKMs) on the host to identify unauthorized changes that may coincide with the log clearing attempt. +- Examine other system logs and security alerts around the same timeframe to identify any suspicious activities or patterns that may indicate a broader attack or compromise. +- Assess the host's network activity for any unusual outbound connections or data exfiltration attempts that could suggest further malicious intent. + +### False positive analysis + +- Routine system maintenance activities may trigger the rule if administrators use the dmesg -c command to clear logs for legitimate purposes. To handle this, create exceptions for known maintenance scripts or processes that regularly execute this command. +- Automated scripts or monitoring tools that include dmesg -c as part of their log management routine can cause false positives. Identify these scripts and exclude them from the rule by specifying their process IDs or user accounts. +- Development and testing environments where kernel modules are frequently installed and removed might generate alerts. Consider excluding these environments from the rule or adjusting the risk score to reflect the lower threat level in these contexts. +- System administrators may use dmesg -c during troubleshooting to clear logs and view new messages. Document these activities and create exceptions for specific user accounts or roles that perform this task regularly. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement. +- Conduct a thorough review of the system to identify any unauthorized kernel modules or other suspicious changes, and remove them if found. +- Restore the system from a known good backup if unauthorized changes are detected and cannot be easily reversed. +- Review and update access controls and permissions to ensure that only authorized users have the ability to execute commands like `dmesg -c`. +- Implement enhanced monitoring and logging for the affected system to detect any future attempts to clear the kernel ring buffer or similar evasion tactics. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence.""" risk_score = 21 rule_id = "2724808c-ba5d-48b2-86d2-0002103df753" setup = """## Setup @@ -64,64 +102,33 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "dmesg" and process.args in ("-c", "--clear") ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Attempt to Clear Kernel Ring Buffer - -The kernel ring buffer logs system messages, crucial for diagnosing issues. Adversaries may clear these logs using the `dmesg -c` command to hide traces of malicious activities, such as installing unauthorized kernel modules. The detection rule identifies this behavior by monitoring the execution of `dmesg` with specific arguments, flagging potential evasion attempts for further investigation. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the `dmesg -c` command, focusing on the process name and arguments to ensure the alert is valid. -- Investigate the user account associated with the execution of the `dmesg -c` command to determine if it is a known and authorized user or potentially compromised. -- Check for any recent installations or modifications of Linux kernel modules (LKMs) on the host to identify unauthorized changes that may coincide with the log clearing attempt. -- Examine other system logs and security alerts around the same timeframe to identify any suspicious activities or patterns that may indicate a broader attack or compromise. -- Assess the host's network activity for any unusual outbound connections or data exfiltration attempts that could suggest further malicious intent. - -### False positive analysis - -- Routine system maintenance activities may trigger the rule if administrators use the dmesg -c command to clear logs for legitimate purposes. To handle this, create exceptions for known maintenance scripts or processes that regularly execute this command. -- Automated scripts or monitoring tools that include dmesg -c as part of their log management routine can cause false positives. Identify these scripts and exclude them from the rule by specifying their process IDs or user accounts. -- Development and testing environments where kernel modules are frequently installed and removed might generate alerts. Consider excluding these environments from the rule or adjusting the risk score to reflect the lower threat level in these contexts. -- System administrators may use dmesg -c during troubleshooting to clear logs and view new messages. Document these activities and create exceptions for specific user accounts or roles that perform this task regularly. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement. -- Conduct a thorough review of the system to identify any unauthorized kernel modules or other suspicious changes, and remove them if found. -- Restore the system from a known good backup if unauthorized changes are detected and cannot be easily reversed. -- Review and update access controls and permissions to ensure that only authorized users have the ability to execute commands like `dmesg -c`. -- Implement enhanced monitoring and logging for the affected system to detect any future attempts to clear the kernel ring buffer or similar evasion tactics. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml index 5e4687c75a5..874a3f33738 100644 --- a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,30 +11,16 @@ Identify activity related where adversaries can add the 'hidden' flag to files t to evade detection. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.file*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" -risk_score = 21 -rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" -''' note = """## Triage and analysis > **Disclaimer**: @@ -72,21 +56,44 @@ In Unix-like systems, the 'hidden' flag can be set on files to conceal them from - Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden flag, on critical systems. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future.""" +risk_score = 21 +rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" +''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index 819542e63f5..dda9951a020 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,49 @@ files that are required for the system to function properly. The creation of dir attempt to hide malicious files or executables, as these /bin directories usually just contain binaries. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Directory Creation in /bin directory" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Directory Creation in /bin directory + +The /bin directory is crucial for Linux systems, housing essential binaries for system operations. Adversaries may exploit this by creating directories here to conceal malicious files, leveraging the directory's trusted status. The detection rule identifies suspicious directory creation by monitoring 'mkdir' executions in critical binary paths, excluding legitimate system operations, thus flagging potential threats for further investigation. + +### Possible investigation steps + +- Review the process details to confirm the execution of 'mkdir' in the specified critical binary paths such as /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin, and /usr/local/sbin. +- Check the parent process of the 'mkdir' command to determine if it was initiated by a legitimate system process or a potentially malicious one. +- Investigate the user account associated with the 'mkdir' process to assess if it has the necessary permissions and if the activity aligns with the user's typical behavior. +- Examine the system logs around the time of the directory creation for any other suspicious activities or anomalies that might indicate a broader attack. +- Verify if any files or executables have been placed in the newly created directory and assess their legitimacy and potential threat level. +- Cross-reference the event with threat intelligence sources to identify if the activity matches any known malicious patterns or indicators of compromise. + +### False positive analysis + +- System updates or package installations may trigger directory creation in the /bin directory as part of legitimate operations. Users can mitigate this by creating exceptions for known package management processes like apt, yum, or rpm. +- Custom scripts or administrative tasks that require creating directories in the /bin directory for temporary storage or testing purposes can also lead to false positives. Users should document and exclude these specific scripts or tasks from the detection rule. +- Automated deployment tools or configuration management systems such as Ansible, Puppet, or Chef might create directories in the /bin directory as part of their setup routines. Users should identify these tools and add them to the exclusion list to prevent unnecessary alerts. +- Development or testing environments where developers have permissions to create directories in the /bin directory for application testing can result in false positives. Users should differentiate between production and non-production environments and apply the rule accordingly. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the adversary. +- Terminate any suspicious processes related to the directory creation in the /bin directory to halt any ongoing malicious activity. +- Conduct a thorough review of the newly created directories and files within the /bin directory to identify and remove any malicious binaries or scripts. +- Restore any altered or deleted legitimate binaries from a known good backup to ensure system integrity and functionality. +- Implement file integrity monitoring on critical system directories, including /bin, to detect unauthorized changes in real-time. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. +- Review and update access controls and permissions for the /bin directory to restrict unauthorized directory creation and enhance security posture.""" risk_score = 21 rule_id = "3302835b-0049-4004-a325-660b1fba1f67" setup = """## Setup @@ -60,65 +97,32 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2", "exec_event") and process.name == "mkdir" and process.args like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*") and not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Directory Creation in /bin directory - -The /bin directory is crucial for Linux systems, housing essential binaries for system operations. Adversaries may exploit this by creating directories here to conceal malicious files, leveraging the directory's trusted status. The detection rule identifies suspicious directory creation by monitoring 'mkdir' executions in critical binary paths, excluding legitimate system operations, thus flagging potential threats for further investigation. - -### Possible investigation steps - -- Review the process details to confirm the execution of 'mkdir' in the specified critical binary paths such as /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin, and /usr/local/sbin. -- Check the parent process of the 'mkdir' command to determine if it was initiated by a legitimate system process or a potentially malicious one. -- Investigate the user account associated with the 'mkdir' process to assess if it has the necessary permissions and if the activity aligns with the user's typical behavior. -- Examine the system logs around the time of the directory creation for any other suspicious activities or anomalies that might indicate a broader attack. -- Verify if any files or executables have been placed in the newly created directory and assess their legitimacy and potential threat level. -- Cross-reference the event with threat intelligence sources to identify if the activity matches any known malicious patterns or indicators of compromise. - -### False positive analysis - -- System updates or package installations may trigger directory creation in the /bin directory as part of legitimate operations. Users can mitigate this by creating exceptions for known package management processes like apt, yum, or rpm. -- Custom scripts or administrative tasks that require creating directories in the /bin directory for temporary storage or testing purposes can also lead to false positives. Users should document and exclude these specific scripts or tasks from the detection rule. -- Automated deployment tools or configuration management systems such as Ansible, Puppet, or Chef might create directories in the /bin directory as part of their setup routines. Users should identify these tools and add them to the exclusion list to prevent unnecessary alerts. -- Development or testing environments where developers have permissions to create directories in the /bin directory for application testing can result in false positives. Users should differentiate between production and non-production environments and apply the rule accordingly. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the adversary. -- Terminate any suspicious processes related to the directory creation in the /bin directory to halt any ongoing malicious activity. -- Conduct a thorough review of the newly created directories and files within the /bin directory to identify and remove any malicious binaries or scripts. -- Restore any altered or deleted legitimate binaries from a known good backup to ensure system integrity and functionality. -- Implement file integrity monitoring on critical system directories, including /bin, to detect unauthorized changes in real-time. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. -- Review and update access controls and permissions for the /bin directory to restrict unauthorized directory creation and enhance security posture.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -126,3 +130,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 4ac7da81c95..3e5779689bb 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,52 @@ fine-grained access control policies to restrict the actions and resources that access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Disabling of AppArmor" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Disabling of AppArmor + +AppArmor is a Linux security module that enforces strict access controls, limiting what applications can do. Adversaries may attempt to disable AppArmor to evade detection and freely execute malicious activities. The detection rule identifies suspicious processes attempting to stop or disable AppArmor services, such as using commands like `systemctl` or `service` with specific arguments, indicating potential tampering with security defenses. + +### Possible investigation steps + +- Review the process details to confirm the command used, focusing on the process name and arguments, such as "systemctl", "service", "chkconfig", or "ln" with arguments related to AppArmor. +- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. +- Investigate the host's recent activity logs to identify any other suspicious behavior or anomalies around the time the alert was triggered. +- Examine the system's AppArmor status to verify if it has been disabled or tampered with, and assess any potential impact on system security. +- Correlate this event with other alerts or logs from the same host or user to identify patterns or a broader attack campaign. +- Consult threat intelligence sources to determine if there are known adversaries or malware that commonly attempt to disable AppArmor in similar ways. + +### False positive analysis + +- Routine system maintenance activities may trigger this rule, such as administrators stopping AppArmor for legitimate updates or configuration changes. To manage this, create exceptions for known maintenance windows or specific administrator accounts. +- Automated scripts or configuration management tools like Ansible or Puppet might stop or disable AppArmor as part of their deployment processes. Identify these scripts and whitelist their execution paths or associated user accounts. +- Testing environments where security modules are frequently enabled and disabled for testing purposes can generate false positives. Consider excluding these environments from the rule or adjusting the rule's sensitivity for these specific hosts. +- Some legitimate software installations may require temporarily disabling AppArmor. Monitor installation logs and correlate them with the rule triggers to identify and exclude these benign activities. +- In environments where AppArmor is not actively used or managed, the rule may trigger on default system actions. Evaluate the necessity of monitoring AppArmor in such environments and adjust the rule scope accordingly. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. +- Terminate any suspicious processes identified by the detection rule, specifically those attempting to disable AppArmor, to halt any ongoing malicious activities. +- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or related malicious activities. +- Restore AppArmor to its intended operational state by re-enabling the service and ensuring all security policies are correctly applied. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected. +- Implement enhanced monitoring on the affected system and similar environments to detect any future attempts to disable AppArmor or other security controls. +- Review and update access controls and permissions to ensure that only authorized personnel can modify security settings, reducing the risk of similar incidents.""" risk_score = 21 rule_id = "fac52c69-2646-4e79-89c0-fd7653461010" setup = """## Setup @@ -60,6 +100,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and @@ -70,56 +111,23 @@ process where host.os.type == "linux" and event.type == "start" and (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Disabling of AppArmor - -AppArmor is a Linux security module that enforces strict access controls, limiting what applications can do. Adversaries may attempt to disable AppArmor to evade detection and freely execute malicious activities. The detection rule identifies suspicious processes attempting to stop or disable AppArmor services, such as using commands like `systemctl` or `service` with specific arguments, indicating potential tampering with security defenses. - -### Possible investigation steps - -- Review the process details to confirm the command used, focusing on the process name and arguments, such as "systemctl", "service", "chkconfig", or "ln" with arguments related to AppArmor. -- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. -- Investigate the host's recent activity logs to identify any other suspicious behavior or anomalies around the time the alert was triggered. -- Examine the system's AppArmor status to verify if it has been disabled or tampered with, and assess any potential impact on system security. -- Correlate this event with other alerts or logs from the same host or user to identify patterns or a broader attack campaign. -- Consult threat intelligence sources to determine if there are known adversaries or malware that commonly attempt to disable AppArmor in similar ways. - -### False positive analysis - -- Routine system maintenance activities may trigger this rule, such as administrators stopping AppArmor for legitimate updates or configuration changes. To manage this, create exceptions for known maintenance windows or specific administrator accounts. -- Automated scripts or configuration management tools like Ansible or Puppet might stop or disable AppArmor as part of their deployment processes. Identify these scripts and whitelist their execution paths or associated user accounts. -- Testing environments where security modules are frequently enabled and disabled for testing purposes can generate false positives. Consider excluding these environments from the rule or adjusting the rule's sensitivity for these specific hosts. -- Some legitimate software installations may require temporarily disabling AppArmor. Monitor installation logs and correlate them with the rule triggers to identify and exclude these benign activities. -- In environments where AppArmor is not actively used or managed, the rule may trigger on default system actions. Evaluate the necessity of monitoring AppArmor in such environments and adjust the rule scope accordingly. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. -- Terminate any suspicious processes identified by the detection rule, specifically those attempting to disable AppArmor, to halt any ongoing malicious activities. -- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or related malicious activities. -- Restore AppArmor to its intended operational state by re-enabling the service and ensuring all security policies are correctly applied. -- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected. -- Implement enhanced monitoring on the affected system and similar environments to detect any future attempts to disable AppArmor or other security controls. -- Review and update access controls and permissions to ensure that only authorized personnel can modify security settings, reducing the risk of similar incidents.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 3b3e6dd8c01..4baa2aed772 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,51 @@ support access control policies. Adversaries may disable security tools to avoid activities. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Disabling of SELinux" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Disabling of SELinux + +SELinux is a critical security feature in Linux environments, enforcing access control policies to protect against unauthorized access. Adversaries may attempt to disable SELinux to evade detection and carry out malicious activities undetected. The detection rule identifies such attempts by monitoring for the execution of the 'setenforce 0' command, which switches SELinux to permissive mode, effectively disabling its enforcement capabilities. This rule leverages process monitoring to alert security teams of potential defense evasion tactics. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the 'setenforce 0' command, ensuring that the process name is 'setenforce' and the argument is '0'. +- Check the user account associated with the process execution to determine if it is a legitimate administrative user or a potential compromised account. +- Investigate the timeline of events leading up to and following the execution of the 'setenforce 0' command to identify any related suspicious activities or processes. +- Examine system logs and audit logs for any other unusual or unauthorized changes to SELinux settings or other security configurations. +- Assess the system for any signs of compromise or malicious activity, such as unexpected network connections, file modifications, or the presence of known malware indicators. +- Verify the current SELinux status and configuration to ensure it has been restored to enforcing mode if it was indeed set to permissive mode. + +### False positive analysis + +- System administrators may execute the 'setenforce 0' command during routine maintenance or troubleshooting, leading to false positives. To manage this, create exceptions for known maintenance windows or specific administrator accounts. +- Some automated scripts or configuration management tools might temporarily set SELinux to permissive mode for deployment purposes. Identify these scripts and exclude their execution context from triggering alerts. +- Development environments might require SELinux to be set to permissive mode for testing purposes. Consider excluding specific development hosts or environments from the rule to prevent unnecessary alerts. +- In certain cases, SELinux might be disabled as part of a controlled security audit or penetration test. Coordinate with security teams to whitelist these activities during the audit period. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Verify the current SELinux status on the affected system using the command `sestatus` to confirm if it has been switched to permissive mode. +- If SELinux is in permissive mode, re-enable it by executing `setenforce 1` and ensure that the SELinux policy is correctly enforced. +- Conduct a thorough review of system logs and process execution history to identify any unauthorized changes or suspicious activities that occurred while SELinux was disabled. +- Scan the affected system for malware or unauthorized software installations using a trusted antivirus or endpoint detection and response (EDR) tool. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. +- Implement additional monitoring and alerting for similar SELinux-related events to enhance detection capabilities and prevent recurrence.""" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" setup = """## Setup @@ -78,40 +117,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "setenforce" and process.args == "0" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Disabling of SELinux - -SELinux is a critical security feature in Linux environments, enforcing access control policies to protect against unauthorized access. Adversaries may attempt to disable SELinux to evade detection and carry out malicious activities undetected. The detection rule identifies such attempts by monitoring for the execution of the 'setenforce 0' command, which switches SELinux to permissive mode, effectively disabling its enforcement capabilities. This rule leverages process monitoring to alert security teams of potential defense evasion tactics. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the 'setenforce 0' command, ensuring that the process name is 'setenforce' and the argument is '0'. -- Check the user account associated with the process execution to determine if it is a legitimate administrative user or a potential compromised account. -- Investigate the timeline of events leading up to and following the execution of the 'setenforce 0' command to identify any related suspicious activities or processes. -- Examine system logs and audit logs for any other unusual or unauthorized changes to SELinux settings or other security configurations. -- Assess the system for any signs of compromise or malicious activity, such as unexpected network connections, file modifications, or the presence of known malware indicators. -- Verify the current SELinux status and configuration to ensure it has been restored to enforcing mode if it was indeed set to permissive mode. - -### False positive analysis - -- System administrators may execute the 'setenforce 0' command during routine maintenance or troubleshooting, leading to false positives. To manage this, create exceptions for known maintenance windows or specific administrator accounts. -- Some automated scripts or configuration management tools might temporarily set SELinux to permissive mode for deployment purposes. Identify these scripts and exclude their execution context from triggering alerts. -- Development environments might require SELinux to be set to permissive mode for testing purposes. Consider excluding specific development hosts or environments from the rule to prevent unnecessary alerts. -- In certain cases, SELinux might be disabled as part of a controlled security audit or penetration test. Coordinate with security teams to whitelist these activities during the audit period. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Verify the current SELinux status on the affected system using the command `sestatus` to confirm if it has been switched to permissive mode. -- If SELinux is in permissive mode, re-enable it by executing `setenforce 1` and ensure that the SELinux policy is correctly enforced. -- Conduct a thorough review of system logs and process execution history to identify any unauthorized changes or suspicious activities that occurred while SELinux was disabled. -- Scan the affected system for malware or unauthorized software installations using a trusted antivirus or endpoint detection and response (EDR) tool. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. -- Implement additional monitoring and alerting for similar SELinux-related events to enhance detection capabilities and prevent recurrence.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index 49e13f752fe..b0adf07fbd7 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -2,22 +2,54 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects the creation or rename of the Doas configuration file on a Linux system. Adversaries may create -or modify the Doas configuration file to elevate privileges and execute commands as other users while attempting to -evade detection. +This rule detects the creation or rename of the Doas configuration file on a Linux system. Adversaries may create or +modify the Doas configuration file to elevate privileges and execute commands as other users while attempting to evade +detection. """ from = "now-9m" index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via Doas" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Defense Evasion via Doas + +Doas is a command-line utility on Linux systems that allows users to execute commands as another user, typically with elevated privileges. Adversaries may exploit this by altering the Doas configuration file to gain unauthorized access or escalate privileges, bypassing security measures. The detection rule identifies suspicious activities by monitoring changes to the Doas configuration file, signaling potential misuse aimed at evading defenses. + +### Possible investigation steps + +- Review the alert details to confirm the file path involved is "/etc/doas.conf" and the event type is not "deletion", as specified in the query. +- Check the timestamp of the alert to determine when the configuration file was created or modified, and correlate this with any known scheduled changes or maintenance activities. +- Investigate the user account associated with the event to determine if they have legitimate reasons to modify the Doas configuration file, and verify their access permissions. +- Examine system logs and command history around the time of the alert to identify any suspicious activities or commands executed by the user. +- Assess the current Doas configuration file for unauthorized changes or entries that could indicate privilege escalation attempts. +- Cross-reference the alert with other security events or alerts from the same host to identify potential patterns or related activities that could suggest a broader attack. + +### False positive analysis + +- Routine administrative updates to the Doas configuration file can trigger alerts. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for legitimate updates. +- Automated configuration management tools may modify the Doas configuration file as part of their normal operation. Identify these tools and exclude their activities from triggering alerts by specifying their process names or user accounts. +- System backups or restoration processes might involve creating or renaming the Doas configuration file. Exclude these processes by identifying the backup software and adding it to the exception list. +- Development or testing environments where frequent changes to the Doas configuration file are expected can generate false positives. Consider excluding these environments from monitoring or adjusting the rule to account for their unique activity patterns. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Review and revert any unauthorized changes to the Doas configuration file located at /etc/doas.conf to its last known good state. +- Conduct a thorough audit of user accounts and permissions on the affected system to identify and remove any unauthorized accounts or privilege escalations. +- Implement additional monitoring on the affected system to detect any further attempts to modify the Doas configuration file or other critical system files. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. +- Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary. +- Review and enhance access controls and authentication mechanisms to prevent unauthorized privilege escalation attempts in the future.""" references = ["https://wiki.archlinux.org/title/Doas"] risk_score = 21 rule_id = "26a726d7-126e-4267-b43d-e9a70bfdee1e" @@ -59,58 +91,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Defense Evasion via Doas - -Doas is a command-line utility on Linux systems that allows users to execute commands as another user, typically with elevated privileges. Adversaries may exploit this by altering the Doas configuration file to gain unauthorized access or escalate privileges, bypassing security measures. The detection rule identifies suspicious activities by monitoring changes to the Doas configuration file, signaling potential misuse aimed at evading defenses. - -### Possible investigation steps - -- Review the alert details to confirm the file path involved is "/etc/doas.conf" and the event type is not "deletion", as specified in the query. -- Check the timestamp of the alert to determine when the configuration file was created or modified, and correlate this with any known scheduled changes or maintenance activities. -- Investigate the user account associated with the event to determine if they have legitimate reasons to modify the Doas configuration file, and verify their access permissions. -- Examine system logs and command history around the time of the alert to identify any suspicious activities or commands executed by the user. -- Assess the current Doas configuration file for unauthorized changes or entries that could indicate privilege escalation attempts. -- Cross-reference the alert with other security events or alerts from the same host to identify potential patterns or related activities that could suggest a broader attack. - -### False positive analysis - -- Routine administrative updates to the Doas configuration file can trigger alerts. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for legitimate updates. -- Automated configuration management tools may modify the Doas configuration file as part of their normal operation. Identify these tools and exclude their activities from triggering alerts by specifying their process names or user accounts. -- System backups or restoration processes might involve creating or renaming the Doas configuration file. Exclude these processes by identifying the backup software and adding it to the exception list. -- Development or testing environments where frequent changes to the Doas configuration file are expected can generate false positives. Consider excluding these environments from monitoring or adjusting the rule to account for their unique activity patterns. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Review and revert any unauthorized changes to the Doas configuration file located at /etc/doas.conf to its last known good state. -- Conduct a thorough audit of user accounts and permissions on the affected system to identify and remove any unauthorized accounts or privilege escalations. -- Implement additional monitoring on the affected system to detect any further attempts to modify the Doas configuration file or other critical system files. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. -- Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary. -- Review and enhance access controls and authentication mechanisms to prevent unauthorized privilege escalation attempts in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index b7b54978b9c..17cba5afd88 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,10 +14,52 @@ their presence in the touch command arguments may indicate that a threat actor i of VM-related files and configurations on the system. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "ESXI Timestomping using Touch Command" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating ESXI Timestomping using Touch Command + +VMware ESXi is a hypervisor used to manage virtual machines. Adversaries may exploit the 'touch' command with the "-r" flag to alter file timestamps, masking unauthorized changes in VM-related directories. The detection rule identifies such activities by monitoring the execution of 'touch' with specific arguments, signaling potential timestamp tampering in critical VMware paths. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the 'touch' command with the "-r" flag and verify the specific VM-related paths involved, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". +- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised account. +- Investigate the parent process of the 'touch' command to understand the context of its execution and identify any related suspicious activities. +- Examine recent changes to the files in the specified paths to identify any unauthorized modifications or anomalies. +- Correlate the event with other security alerts or logs from the same host to identify patterns or additional indicators of compromise. +- Assess the system for any signs of unauthorized access or other defense evasion techniques that may have been employed by the threat actor. + +### False positive analysis + +- Routine administrative tasks in VMware environments may trigger the rule if administrators use the touch command with the -r flag for legitimate purposes. To manage this, create exceptions for known administrative scripts or processes that regularly perform these actions. +- Automated backup or synchronization tools that update file timestamps as part of their normal operation can cause false positives. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts. +- System maintenance activities, such as updates or patches, might involve timestamp modifications in VMware directories. Coordinate with IT teams to whitelist these activities during scheduled maintenance windows. +- Custom scripts developed in-house for managing VMware environments might use the touch command with the -r flag. Review these scripts and, if verified as safe, add them to an exception list to avoid false positives. +- Security tools or monitoring solutions that perform integrity checks on VMware files may inadvertently alter timestamps. Ensure these tools are recognized and excluded from the rule to maintain accurate threat detection. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or tampering with VMware-related files. +- Conduct a thorough review of the affected system's logs and processes to identify any unauthorized changes or additional malicious activities. +- Restore the original timestamps of the affected files using verified backups to ensure the integrity of the VMware-related configurations. +- Revert any unauthorized changes to the VMware environment by restoring from a known good backup or snapshot. +- Update and patch the VMware ESXi and associated software to the latest versions to mitigate any known vulnerabilities that could be exploited. +- Implement stricter access controls and monitoring on critical VMware directories to prevent unauthorized modifications in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", ] @@ -71,41 +111,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "touch" and process.args == "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating ESXI Timestomping using Touch Command - -VMware ESXi is a hypervisor used to manage virtual machines. Adversaries may exploit the 'touch' command with the "-r" flag to alter file timestamps, masking unauthorized changes in VM-related directories. The detection rule identifies such activities by monitoring the execution of 'touch' with specific arguments, signaling potential timestamp tampering in critical VMware paths. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the 'touch' command with the "-r" flag and verify the specific VM-related paths involved, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". -- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised account. -- Investigate the parent process of the 'touch' command to understand the context of its execution and identify any related suspicious activities. -- Examine recent changes to the files in the specified paths to identify any unauthorized modifications or anomalies. -- Correlate the event with other security alerts or logs from the same host to identify patterns or additional indicators of compromise. -- Assess the system for any signs of unauthorized access or other defense evasion techniques that may have been employed by the threat actor. - -### False positive analysis - -- Routine administrative tasks in VMware environments may trigger the rule if administrators use the touch command with the -r flag for legitimate purposes. To manage this, create exceptions for known administrative scripts or processes that regularly perform these actions. -- Automated backup or synchronization tools that update file timestamps as part of their normal operation can cause false positives. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts. -- System maintenance activities, such as updates or patches, might involve timestamp modifications in VMware directories. Coordinate with IT teams to whitelist these activities during scheduled maintenance windows. -- Custom scripts developed in-house for managing VMware environments might use the touch command with the -r flag. Review these scripts and, if verified as safe, add them to an exception list to avoid false positives. -- Security tools or monitoring solutions that perform integrity checks on VMware files may inadvertently alter timestamps. Ensure these tools are recognized and excluded from the rule to maintain accurate threat detection. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or tampering with VMware-related files. -- Conduct a thorough review of the affected system's logs and processes to identify any unauthorized changes or additional malicious activities. -- Restore the original timestamps of the affected files using verified backups to ensure the integrity of the VMware-related configurations. -- Revert any unauthorized changes to the VMware environment by restoring from a known good backup or snapshot. -- Update and patch the VMware ESXi and associated software to the latest versions to mitigate any known vulnerabilities that could be exploited. -- Implement stricter access controls and monitoring on critical VMware directories to prevent unauthorized modifications in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index d7de9703aa8..7d4cbe31205 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,49 @@ a network and how. Adversaries may remove these files over the course of an intr remove them at the end as part of the post-intrusion cleanup process. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "File Deletion via Shred" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File Deletion via Shred + +The `shred` command in Linux is used to securely delete files by overwriting them, making recovery difficult. Adversaries exploit this to erase traces of malicious activity, hindering forensic analysis. The detection rule identifies suspicious use of `shred` by monitoring its execution with specific arguments, excluding benign processes like `logrotate`, to flag potential defense evasion attempts. + +### Possible investigation steps + +- Review the process execution details to confirm the use of the `shred` command with suspicious arguments such as "-u", "--remove", "-z", or "--zero". +- Identify the user account associated with the `shred` process to determine if the activity aligns with expected behavior for that user. +- Investigate the parent process of `shred` to ensure it is not `logrotate` and assess whether the parent process is legitimate or potentially malicious. +- Examine the timeline of events leading up to and following the `shred` execution to identify any related suspicious activities or file modifications. +- Check for any other alerts or logs related to the same host or user to identify patterns or additional indicators of compromise. +- Assess the impact of the file deletion by determining which files were targeted and whether they are critical to system operations or security. + +### False positive analysis + +- Logrotate processes may trigger false positives as they use shred for legitimate log file management. Exclude logrotate as a parent process in detection rules to prevent these alerts. +- System maintenance scripts that securely delete temporary files using shred can cause false positives. Identify and whitelist these scripts to reduce unnecessary alerts. +- Backup or cleanup operations that involve shredding old data might be flagged. Review and exclude these operations if they are part of routine system management. +- User-initiated file deletions for privacy or space management can appear suspicious. Educate users on the implications of using shred and consider excluding known user actions if they are frequent and benign. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity or data exfiltration. +- Terminate any active `shred` processes that are not associated with legitimate applications like `logrotate` to halt ongoing file deletion. +- Conduct a thorough review of recent system logs and file access records to identify any additional malicious activities or files that may have been created or modified by the adversary. +- Restore any critical files that were deleted using `shred` from the most recent backup, ensuring the integrity and security of the backup source. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized use of `shred` or similar file deletion tools. +- Review and update endpoint security configurations to prevent unauthorized execution of file deletion commands by non-administrative users.""" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" setup = """## Setup @@ -65,40 +102,6 @@ process where host.os.type == "linux" and event.type == "start" and process.name "-u", "--remove", "-z", "--zero" ) and not process.parent.name == "logrotate" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating File Deletion via Shred - -The `shred` command in Linux is used to securely delete files by overwriting them, making recovery difficult. Adversaries exploit this to erase traces of malicious activity, hindering forensic analysis. The detection rule identifies suspicious use of `shred` by monitoring its execution with specific arguments, excluding benign processes like `logrotate`, to flag potential defense evasion attempts. - -### Possible investigation steps - -- Review the process execution details to confirm the use of the `shred` command with suspicious arguments such as "-u", "--remove", "-z", or "--zero". -- Identify the user account associated with the `shred` process to determine if the activity aligns with expected behavior for that user. -- Investigate the parent process of `shred` to ensure it is not `logrotate` and assess whether the parent process is legitimate or potentially malicious. -- Examine the timeline of events leading up to and following the `shred` execution to identify any related suspicious activities or file modifications. -- Check for any other alerts or logs related to the same host or user to identify patterns or additional indicators of compromise. -- Assess the impact of the file deletion by determining which files were targeted and whether they are critical to system operations or security. - -### False positive analysis - -- Logrotate processes may trigger false positives as they use shred for legitimate log file management. Exclude logrotate as a parent process in detection rules to prevent these alerts. -- System maintenance scripts that securely delete temporary files using shred can cause false positives. Identify and whitelist these scripts to reduce unnecessary alerts. -- Backup or cleanup operations that involve shredding old data might be flagged. Review and exclude these operations if they are part of routine system management. -- User-initiated file deletions for privacy or space management can appear suspicious. Educate users on the implications of using shred and consider excluding known user actions if they are frequent and benign. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity or data exfiltration. -- Terminate any active `shred` processes that are not associated with legitimate applications like `logrotate` to halt ongoing file deletion. -- Conduct a thorough review of recent system logs and file access records to identify any additional malicious activities or files that may have been created or modified by the adversary. -- Restore any critical files that were deleted using `shred` from the most recent backup, ensuring the integrity and security of the backup source. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized use of `shred` or similar file deletion tools. -- Review and update endpoint security configurations to prevent unauthorized execution of file deletion commands by non-administrative users.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_hex_payload_execution.toml b/rules/linux/defense_evasion_hex_payload_execution.toml index 13cf5d56690..e6d8181d9e1 100644 --- a/rules/linux/defense_evasion_hex_payload_execution.toml +++ b/rules/linux/defense_evasion_hex_payload_execution.toml @@ -2,21 +2,59 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects potential hex payload execution on Linux systems. Adversaries may use hex encoding to obfuscate payloads -and evade detection mechanisms. +This rule detects potential hex payload execution on Linux systems. Adversaries may use hex encoding to obfuscate +payloads and evade detection mechanisms. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = [ + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Potential Hex Payload Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Hex Payload Execution + +Hex encoding is often used in Linux environments to obfuscate data, making it harder for security tools to detect malicious payloads. Adversaries exploit this by encoding their payloads in hex to bypass security measures. The detection rule identifies suspicious processes like `xxd`, `python`, `php`, and others that use hex-related functions, signaling potential obfuscation attempts. By monitoring these patterns, the rule helps uncover hidden threats. + +### Possible investigation steps + +- Review the process details, including the process name and command line arguments, to confirm if the execution aligns with typical hex decoding or encoding activities. +- Check the parent process of the suspicious process to understand the context of how the process was initiated and whether it was expected or part of a legitimate workflow. +- Investigate the user account associated with the process execution to determine if the activity is consistent with the user's normal behavior or if the account may have been compromised. +- Examine the network activity associated with the process to identify any potential data exfiltration or communication with known malicious IP addresses. +- Look for any related file modifications or creations around the time of the process execution to identify if the decoded payload was written to disk or executed further. +- Cross-reference the alert with other security tools or logs, such as Crowdstrike or SentinelOne, to gather additional context or corroborating evidence of malicious activity. + +### False positive analysis + +- Development and testing environments may frequently use hex encoding functions for legitimate purposes. To reduce noise, consider excluding processes running on known development servers from the rule. +- System administrators might use hex encoding tools like `xxd` for data conversion tasks. Identify and whitelist these routine administrative scripts to prevent false alerts. +- Automated scripts or applications that process data in hex format for encoding or decoding purposes can trigger this rule. Review and exclude these scripts if they are verified as non-malicious. +- Security tools or monitoring solutions themselves might use hex encoding for data analysis. Ensure these tools are recognized and excluded from triggering the rule. +- Regularly review and update the exclusion list to adapt to changes in the environment and ensure that only verified non-threatening behaviors are excluded. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potentially malicious payloads. +- Terminate any suspicious processes identified by the detection rule, such as those involving `xxd`, `python`, `php`, `ruby`, `perl`, or `lua` with hex-related functions. +- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove any malicious payloads or remnants. +- Review and analyze system logs and process execution history to determine the scope of the compromise and identify any additional affected systems. +- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. +- Implement additional monitoring on the affected system and network to detect any recurrence of similar obfuscation attempts. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" risk_score = 21 rule_id = "0c1e8fda-4f09-451e-bc77-a192b6cbfc32" setup = """## Setup @@ -59,6 +97,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -71,84 +110,50 @@ process where host.os.type == "linux" and event.type == "start" and (process.name like "lua*" and process.command_line like "*tonumber(cc, 16)*") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Hex Payload Execution - -Hex encoding is often used in Linux environments to obfuscate data, making it harder for security tools to detect malicious payloads. Adversaries exploit this by encoding their payloads in hex to bypass security measures. The detection rule identifies suspicious processes like `xxd`, `python`, `php`, and others that use hex-related functions, signaling potential obfuscation attempts. By monitoring these patterns, the rule helps uncover hidden threats. - -### Possible investigation steps -- Review the process details, including the process name and command line arguments, to confirm if the execution aligns with typical hex decoding or encoding activities. -- Check the parent process of the suspicious process to understand the context of how the process was initiated and whether it was expected or part of a legitimate workflow. -- Investigate the user account associated with the process execution to determine if the activity is consistent with the user's normal behavior or if the account may have been compromised. -- Examine the network activity associated with the process to identify any potential data exfiltration or communication with known malicious IP addresses. -- Look for any related file modifications or creations around the time of the process execution to identify if the decoded payload was written to disk or executed further. -- Cross-reference the alert with other security tools or logs, such as Crowdstrike or SentinelOne, to gather additional context or corroborating evidence of malicious activity. - -### False positive analysis -- Development and testing environments may frequently use hex encoding functions for legitimate purposes. To reduce noise, consider excluding processes running on known development servers from the rule. -- System administrators might use hex encoding tools like `xxd` for data conversion tasks. Identify and whitelist these routine administrative scripts to prevent false alerts. -- Automated scripts or applications that process data in hex format for encoding or decoding purposes can trigger this rule. Review and exclude these scripts if they are verified as non-malicious. -- Security tools or monitoring solutions themselves might use hex encoding for data analysis. Ensure these tools are recognized and excluded from triggering the rule. -- Regularly review and update the exclusion list to adapt to changes in the environment and ensure that only verified non-threatening behaviors are excluded. +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" -### Response and remediation +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" -- Isolate the affected system from the network to prevent further spread of potentially malicious payloads. -- Terminate any suspicious processes identified by the detection rule, such as those involving `xxd`, `python`, `php`, `ruby`, `perl`, or `lua` with hex-related functions. -- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove any malicious payloads or remnants. -- Review and analyze system logs and process execution history to determine the scope of the compromise and identify any additional affected systems. -- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. -- Implement additional monitoring on the affected system and network to detect any recurrence of similar obfuscation attempts. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index 76312a85791..3af9e90529f 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,8 +13,8 @@ tools. """ false_positives = [ """ - Certain tools may create hidden temporary directories upon installation or as part of their normal - behavior. These events can be filtered by the process arguments, username, or process name values. + Certain tools may create hidden temporary directories upon installation or as part of their normal behavior. These + events can be filtered by the process arguments, username, or process name values. """, ] from = "now-9m" @@ -24,6 +22,41 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Hidden Directory Creation via Unusual Parent" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Hidden Directory Creation via Unusual Parent + +In Linux environments, hidden directories, often prefixed with a dot, are typically used for configuration files but can be exploited by attackers to conceal malicious activities. Adversaries may create these directories using unexpected parent processes in sensitive locations. The detection rule identifies such anomalies by monitoring directory creation commands executed by unusual parent executables, focusing on specific directories and excluding known benign patterns. + +### Possible investigation steps + +- Review the process.parent.executable field to identify the parent process that initiated the directory creation and assess its legitimacy based on its typical behavior and location. +- Examine the process.args field to understand the specific arguments used with the mkdir command, focusing on the directory path and any patterns that may indicate malicious intent. +- Check the process.command_line field for any unusual or suspicious command-line patterns that might suggest an attempt to evade detection. +- Investigate the context of the parent process by reviewing recent activities or logs associated with it, especially if it originates from sensitive directories like /dev/shm, /tmp, or /var/tmp. +- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns that could indicate a broader attack or compromise. +- Consult threat intelligence sources or databases to determine if the parent executable or directory path has been associated with known malicious activities or threat actors. + +### False positive analysis + +- Temporary directories used by legitimate applications can trigger false positives. Exclude known benign parent executables like those in "/tmp/newroot/*" or "/run/containerd/*" to reduce noise. +- Automated build processes may create hidden directories during software compilation. Add exceptions for parent executables such as "/var/tmp/buildah*" or "/tmp/python-build.*" to prevent unnecessary alerts. +- Development tools and scripts might create hidden directories for caching or temporary storage. Consider excluding parent executables like "/tmp/pear/temp/*" or "/tmp/cliphist-wofi-img" if they are part of regular development activities. +- Ensure that the command line patterns like "mkdir -p ." or "mkdir ./*" are excluded, as these are common in scripts and do not typically indicate malicious intent. +- Regularly review and update the list of excluded patterns and parent executables to align with changes in the environment and reduce false positives effectively. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes associated with the unusual parent executable identified in the alert to halt potential malicious operations. +- Conduct a thorough review of the hidden directory and its contents to identify and remove any malicious files or tools. +- Restore any affected files or configurations from a known good backup to ensure system integrity. +- Implement stricter access controls and monitoring on sensitive directories to prevent unauthorized directory creation. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. +- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future.""" risk_score = 21 rule_id = "b15a15f2-becf-475d-aa69-45c9e0ff1c49" setup = """## Setup @@ -65,6 +98,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and process.name == "mkdir" and process.parent.executable like ( @@ -78,60 +112,25 @@ process.name == "mkdir" and process.parent.executable like ( ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Hidden Directory Creation via Unusual Parent - -In Linux environments, hidden directories, often prefixed with a dot, are typically used for configuration files but can be exploited by attackers to conceal malicious activities. Adversaries may create these directories using unexpected parent processes in sensitive locations. The detection rule identifies such anomalies by monitoring directory creation commands executed by unusual parent executables, focusing on specific directories and excluding known benign patterns. - -### Possible investigation steps - -- Review the process.parent.executable field to identify the parent process that initiated the directory creation and assess its legitimacy based on its typical behavior and location. -- Examine the process.args field to understand the specific arguments used with the mkdir command, focusing on the directory path and any patterns that may indicate malicious intent. -- Check the process.command_line field for any unusual or suspicious command-line patterns that might suggest an attempt to evade detection. -- Investigate the context of the parent process by reviewing recent activities or logs associated with it, especially if it originates from sensitive directories like /dev/shm, /tmp, or /var/tmp. -- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns that could indicate a broader attack or compromise. -- Consult threat intelligence sources or databases to determine if the parent executable or directory path has been associated with known malicious activities or threat actors. - -### False positive analysis - -- Temporary directories used by legitimate applications can trigger false positives. Exclude known benign parent executables like those in "/tmp/newroot/*" or "/run/containerd/*" to reduce noise. -- Automated build processes may create hidden directories during software compilation. Add exceptions for parent executables such as "/var/tmp/buildah*" or "/tmp/python-build.*" to prevent unnecessary alerts. -- Development tools and scripts might create hidden directories for caching or temporary storage. Consider excluding parent executables like "/tmp/pear/temp/*" or "/tmp/cliphist-wofi-img" if they are part of regular development activities. -- Ensure that the command line patterns like "mkdir -p ." or "mkdir ./*" are excluded, as these are common in scripts and do not typically indicate malicious intent. -- Regularly review and update the list of excluded patterns and parent executables to align with changes in the environment and reduce false positives effectively. -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes associated with the unusual parent executable identified in the alert to halt potential malicious operations. -- Conduct a thorough review of the hidden directory and its contents to identify and remove any malicious files or tools. -- Restore any affected files or configurations from a known good backup to ensure system integrity. -- Implement stricter access controls and monitoring on sensitive directories to prevent unauthorized directory creation. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. -- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -139,3 +138,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 82d386bd667..5bcb15995f5 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/20" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,40 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Shared Object File" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Creation of Hidden Shared Object File + +Shared object files (.so) are dynamic libraries used in Linux environments to provide reusable code. Adversaries may exploit the ability to hide files by prefixing them with a dot, concealing malicious .so files for persistence and evasion. The detection rule identifies the creation of such hidden files, excluding benign processes like Docker, to flag potential threats. + +### Possible investigation steps + +- Review the alert details to identify the specific hidden shared object file (.so) that was created, noting its full path and filename. +- Investigate the process that created the file by examining the process name and its parent process, excluding "dockerd" as per the query, to determine if the process is legitimate or potentially malicious. +- Check the file creation timestamp and correlate it with other system activities or logs to identify any suspicious behavior or patterns around the time of creation. +- Analyze the contents of the hidden .so file, if accessible, to determine its purpose and whether it contains any malicious code or indicators of compromise. +- Investigate the user account associated with the file creation event to assess if the account has been compromised or is involved in unauthorized activities. +- Search for any other hidden files or suspicious activities on the system that may indicate a broader compromise or persistence mechanism. + +### False positive analysis + +- Development and testing environments may frequently create hidden .so files as part of routine operations. Users can mitigate this by excluding specific directories or processes known to be part of development workflows. +- Backup or system maintenance scripts might generate hidden .so files temporarily. Identify and exclude these scripts or their associated processes to prevent false alerts. +- Some legitimate software installations or updates may create hidden .so files as part of their setup process. Users should monitor installation logs and whitelist these processes if they are verified as non-threatening. +- Custom applications or services that use hidden .so files for legitimate purposes should be documented, and their creation processes should be excluded from detection to avoid unnecessary alerts. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious processes associated with the creation of the hidden .so file, except for known benign processes like Docker. +- Remove the hidden .so file from the system to eliminate the immediate threat. Ensure that the file is securely deleted to prevent recovery. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or artifacts. +- Review system logs and process execution history to identify any unauthorized access or changes made around the time of the file creation. This can help in understanding the scope of the compromise. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and alerting for similar activities, such as the creation of hidden files, to improve detection and response times for future incidents.""" risk_score = 47 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" setup = """## Setup @@ -79,40 +111,6 @@ query = ''' file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and not process.name in ("dockerd", "azcopy", "podman") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Creation of Hidden Shared Object File - -Shared object files (.so) are dynamic libraries used in Linux environments to provide reusable code. Adversaries may exploit the ability to hide files by prefixing them with a dot, concealing malicious .so files for persistence and evasion. The detection rule identifies the creation of such hidden files, excluding benign processes like Docker, to flag potential threats. - -### Possible investigation steps - -- Review the alert details to identify the specific hidden shared object file (.so) that was created, noting its full path and filename. -- Investigate the process that created the file by examining the process name and its parent process, excluding "dockerd" as per the query, to determine if the process is legitimate or potentially malicious. -- Check the file creation timestamp and correlate it with other system activities or logs to identify any suspicious behavior or patterns around the time of creation. -- Analyze the contents of the hidden .so file, if accessible, to determine its purpose and whether it contains any malicious code or indicators of compromise. -- Investigate the user account associated with the file creation event to assess if the account has been compromised or is involved in unauthorized activities. -- Search for any other hidden files or suspicious activities on the system that may indicate a broader compromise or persistence mechanism. - -### False positive analysis - -- Development and testing environments may frequently create hidden .so files as part of routine operations. Users can mitigate this by excluding specific directories or processes known to be part of development workflows. -- Backup or system maintenance scripts might generate hidden .so files temporarily. Identify and exclude these scripts or their associated processes to prevent false alerts. -- Some legitimate software installations or updates may create hidden .so files as part of their setup process. Users should monitor installation logs and whitelist these processes if they are verified as non-threatening. -- Custom applications or services that use hidden .so files for legitimate purposes should be documented, and their creation processes should be excluded from detection to avoid unnecessary alerts. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious processes associated with the creation of the hidden .so file, except for known benign processes like Docker. -- Remove the hidden .so file from the system to eliminate the immediate threat. Ensure that the file is securely deleted to prevent recovery. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or artifacts. -- Review system logs and process execution history to identify any unauthorized access or changes made around the time of the file creation. This can help in understanding the scope of the compromise. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and alerting for similar activities, such as the creation of hidden files, to improve detection and response times for future incidents.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index 8c03d97d941..1fefad94398 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -16,6 +16,42 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Base64 Decoded Payload Piped to Interpreter" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Base64 Decoded Payload Piped to Interpreter + +Base64 encoding is a method to encode binary data into ASCII text, often used for data obfuscation. Adversaries exploit this by encoding malicious payloads and decoding them on a target system, piping the output to interpreters like bash or python for execution. The detection rule identifies such activities by monitoring for processes that decode Base64 and subsequently execute scripts, indicating potential malicious behavior. + +### Possible investigation steps + +- Review the process command line arguments to identify the specific Base64 decoding activity, focusing on the presence of flags like `-d` or `-a` in conjunction with tools such as `base64`, `openssl`, or scripting languages like `python`, `perl`, or `ruby`. +- Examine the parent process entity ID and command line to understand the context in which the Base64 decoding was initiated, identifying any potentially suspicious parent processes. +- Investigate the subsequent interpreter process that was executed, such as `bash`, `python`, or `ruby`, to determine the nature of the script or command being run, looking for any signs of malicious activity. +- Check the timing and sequence of the processes involved to confirm if the Base64 decoding and interpreter execution occurred within the specified maxspan of 3 seconds, indicating a likely automated or scripted action. +- Analyze the host ID and any associated user accounts to determine if the activity aligns with expected behavior for that system or user, or if it suggests unauthorized access or compromise. +- Correlate the alert with other security events or logs from the same host or user to identify any additional indicators of compromise or related suspicious activities. + +### False positive analysis + +- Legitimate administrative scripts may use Base64 encoding to handle data securely. Review the context of the script execution and consider excluding specific scripts or directories from monitoring if they are verified as safe. +- Automated backup or data transfer processes might use Base64 encoding for data integrity. Identify these processes and create exceptions for known, trusted applications or scripts. +- Development environments often use Base64 encoding for testing purposes. If a development tool or script is frequently triggering alerts, consider excluding the specific development environment or user accounts from this rule. +- Security tools or monitoring solutions may use Base64 encoding as part of their normal operations. Verify the source of the alert and exclude known security tools from triggering this rule. +- System updates or package installations might involve Base64 operations. Monitor the timing and context of these alerts and exclude specific update processes if they are consistently identified as false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further execution of potentially malicious code and lateral movement. +- Terminate any suspicious processes identified by the detection rule, particularly those involving base64 decoding and piping to interpreters. +- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized file modifications or network connections. +- Restore the system from a known good backup if malicious activity is confirmed and the integrity of the system is compromised. +- Update and patch all software and systems to mitigate vulnerabilities that could be exploited by similar techniques. +- Implement enhanced monitoring and logging for base64 decoding activities and interpreter executions to detect similar threats in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist. +""" risk_score = 47 rule_id = "5bdad1d5-5001-4a13-ae99-fa8619500f1a" setup = """## Setup @@ -51,6 +87,7 @@ tags = [ "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 065c84ee7ef..2e6368d9fc4 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,10 +18,50 @@ false_positives = [ """, ] from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Kernel Module Removal" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Kernel Module Removal + +Kernel modules dynamically extend a Linux kernel's capabilities without rebooting. Adversaries may exploit this by removing modules to disable security features or hide malicious activities. The detection rule identifies suspicious module removal attempts by monitoring processes like `rmmod` or `modprobe` with removal arguments, especially when initiated by common shell environments, indicating potential defense evasion tactics. + +### Possible investigation steps + +- Review the process details to confirm the execution of `rmmod` or `modprobe` with removal arguments. Check the command line arguments to ensure they match the suspicious activity criteria. +- Identify the parent process of the suspicious activity, focusing on shell environments like `sudo`, `bash`, `dash`, `ash`, `sh`, `tcsh`, `csh`, `zsh`, `ksh`, or `fish`, to understand the context in which the module removal was initiated. +- Investigate the user account associated with the process to determine if the activity aligns with expected behavior or if it indicates potential unauthorized access. +- Check system logs and audit logs for any preceding or subsequent suspicious activities that might correlate with the module removal attempt, such as privilege escalation or other defense evasion tactics. +- Assess the impact of the module removal on system security features and functionality, and determine if any critical security modules were targeted. +- Review recent changes or updates to the system that might explain the module removal, such as legitimate maintenance or updates, to rule out false positives. + +### False positive analysis + +- Routine administrative tasks may trigger the rule when system administrators use `rmmod` or `modprobe` for legitimate maintenance. To handle this, create exceptions for specific user accounts or scripts known to perform these tasks regularly. +- Automated scripts or configuration management tools that manage kernel modules might cause false positives. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts. +- Some Linux distributions or custom setups might use shell scripts that invoke `rmmod` or `modprobe` during system updates or package installations. Monitor these activities and whitelist the associated parent processes if they are verified as non-threatening. +- Development environments where kernel module testing is frequent can generate alerts. Exclude specific development machines or user accounts involved in module testing to reduce noise. +- Security tools that perform regular checks or updates on kernel modules might inadvertently trigger the rule. Verify these tools and add them to the exception list to avoid false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. +- Terminate any suspicious processes identified as attempting to remove kernel modules, such as those initiated by `rmmod` or `modprobe` with removal arguments. +- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized access or privilege escalation has occurred. +- Restore any disabled security features or kernel modules to their original state to ensure the system's defenses are intact. +- Analyze system logs and audit trails to identify any additional indicators of compromise or related malicious activities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. +- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts promptly.""" references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 47 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" @@ -66,6 +104,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -75,74 +114,40 @@ process where host.os.type == "linux" and event.type == "start" and ) and process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Kernel Module Removal - -Kernel modules dynamically extend a Linux kernel's capabilities without rebooting. Adversaries may exploit this by removing modules to disable security features or hide malicious activities. The detection rule identifies suspicious module removal attempts by monitoring processes like `rmmod` or `modprobe` with removal arguments, especially when initiated by common shell environments, indicating potential defense evasion tactics. - -### Possible investigation steps - -- Review the process details to confirm the execution of `rmmod` or `modprobe` with removal arguments. Check the command line arguments to ensure they match the suspicious activity criteria. -- Identify the parent process of the suspicious activity, focusing on shell environments like `sudo`, `bash`, `dash`, `ash`, `sh`, `tcsh`, `csh`, `zsh`, `ksh`, or `fish`, to understand the context in which the module removal was initiated. -- Investigate the user account associated with the process to determine if the activity aligns with expected behavior or if it indicates potential unauthorized access. -- Check system logs and audit logs for any preceding or subsequent suspicious activities that might correlate with the module removal attempt, such as privilege escalation or other defense evasion tactics. -- Assess the impact of the module removal on system security features and functionality, and determine if any critical security modules were targeted. -- Review recent changes or updates to the system that might explain the module removal, such as legitimate maintenance or updates, to rule out false positives. - -### False positive analysis - -- Routine administrative tasks may trigger the rule when system administrators use `rmmod` or `modprobe` for legitimate maintenance. To handle this, create exceptions for specific user accounts or scripts known to perform these tasks regularly. -- Automated scripts or configuration management tools that manage kernel modules might cause false positives. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts. -- Some Linux distributions or custom setups might use shell scripts that invoke `rmmod` or `modprobe` during system updates or package installations. Monitor these activities and whitelist the associated parent processes if they are verified as non-threatening. -- Development environments where kernel module testing is frequent can generate alerts. Exclude specific development machines or user accounts involved in module testing to reduce noise. -- Security tools that perform regular checks or updates on kernel modules might inadvertently trigger the rule. Verify these tools and add them to the exception list to avoid false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. -- Terminate any suspicious processes identified as attempting to remove kernel modules, such as those initiated by `rmmod` or `modprobe` with removal arguments. -- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized access or privilege escalation has occurred. -- Restore any disabled security features or kernel modules to their original state to ensure the system's defenses are intact. -- Analyze system logs and audit trails to identify any additional indicators of compromise or related malicious activities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. -- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts promptly.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/defense_evasion_kill_command_executed.toml b/rules/linux/defense_evasion_kill_command_executed.toml index b9af2419cac..ec54a5aa6be 100644 --- a/rules/linux/defense_evasion_kill_command_executed.toml +++ b/rules/linux/defense_evasion_kill_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -16,6 +16,40 @@ index = ["logs-endpoint.events.process*"] language = "kuery" license = "Elastic License v2" name = "Kill Command Execution" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Kill Command Execution +In Linux environments, commands like kill, pkill, and killall are essential for managing processes, allowing users to terminate them as needed. However, adversaries can exploit these commands to disable security tools or disrupt operations, aiding in evasion tactics. The detection rule identifies such misuse by monitoring process execution events, specifically targeting these commands to flag potential threats. + +### Possible investigation steps + +- Review the process execution event details to identify the user account associated with the kill, pkill, or killall command execution. This can help determine if the action was performed by a legitimate user or a potential adversary. +- Examine the parent process of the command execution to understand the context in which the kill command was initiated. This can provide insights into whether the command was part of a script or an interactive session. +- Check the target process IDs (PIDs) that were terminated by the kill command to assess if critical or security-related processes were affected, which might indicate malicious intent. +- Investigate the timing and frequency of the command execution to identify patterns or anomalies, such as repeated or scheduled executions, which could suggest automated or scripted activity. +- Correlate the event with other security alerts or logs from the same host around the same timeframe to identify any related suspicious activities or indicators of compromise. + +### False positive analysis + +- Routine system maintenance tasks may trigger the rule when administrators use kill commands to manage processes. To handle this, create exceptions for known maintenance scripts or processes by identifying their unique attributes, such as user or command line arguments. +- Automated scripts or monitoring tools that use kill commands for legitimate purposes, like restarting services, can cause false positives. Exclude these by specifying the script names or paths in the detection rule. +- Development environments where developers frequently use kill commands during testing can lead to alerts. Consider excluding processes executed by specific user accounts associated with development activities. +- System updates or package management tools might use kill commands as part of their operation. Identify these processes and exclude them based on their parent process or command line patterns. +- Backup or recovery operations that involve stopping services may trigger the rule. Exclude these by recognizing the specific backup software or service names involved. + +### Response and remediation + +- Immediately isolate the affected Linux system from the network to prevent further malicious activity or lateral movement by the attacker. +- Identify and terminate any unauthorized or suspicious processes that were started around the time of the alert, focusing on those that may have been targeted by the kill, pkill, or killall commands. +- Review system logs and process execution history to determine the origin of the kill command execution and assess whether it was initiated by a legitimate user or a compromised account. +- Restore any terminated security tools or critical processes to ensure the system's defenses are fully operational. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection tools to identify and remove any additional malware or persistence mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected. +- Implement additional monitoring and alerting for similar command executions across the network to enhance detection and response capabilities for future incidents. +""" risk_score = 21 rule_id = "f391d3fd-219b-42a3-9ba9-2f66eb0155aa" setup = """## Setup @@ -49,7 +83,8 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 5047db3c552..6d36e1fdca9 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,49 @@ as kthreadd and kworker typically do not have process.executable fields associat hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Executable Masquerading as Kernel Process + +In Linux environments, kernel processes like `kthreadd` and `kworker` typically run without associated executable paths. Adversaries exploit this by naming malicious executables after these processes to evade detection. The detection rule identifies anomalies by flagging kernel-named processes with non-empty executable fields, indicating potential masquerading attempts. This helps in uncovering stealthy threats that mimic legitimate system activities. + +### Possible investigation steps + +- Review the process details for the flagged process, focusing on the process.executable field to identify the path and name of the executable. This can provide initial insights into whether the executable is legitimate or potentially malicious. +- Check the process's parent process (process.parent) to understand the context in which the process was started. This can help determine if the process was spawned by a legitimate system process or a suspicious one. +- Investigate the file at the path specified in the process.executable field. Verify its legitimacy by checking its hash against known malware databases or using a file reputation service. +- Examine the process's command line arguments (process.command_line) for any unusual or suspicious parameters that might indicate malicious activity. +- Review recent system logs and events around the time the process was started to identify any related activities or anomalies that could provide additional context or evidence of compromise. +- If available, use threat intelligence sources to check for any known indicators of compromise (IOCs) related to the process name or executable path. + +### False positive analysis + +- Custom scripts or administrative tools may be named similarly to kernel processes for convenience or organizational standards. Review these scripts and tools to ensure they are legitimate and consider adding them to an exception list if verified. +- Some legitimate software or monitoring tools might use kernel-like names for their processes to integrate closely with system operations. Verify the source and purpose of these processes and exclude them if they are confirmed to be non-malicious. +- System updates or patches might temporarily create processes with kernel-like names that have executable paths. Monitor these occurrences and exclude them if they are part of a verified update process. +- Development or testing environments may intentionally use kernel-like names for process simulation. Ensure these environments are isolated and add exceptions for these processes if they are part of controlled testing scenarios. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the suspicious process immediately to stop any ongoing malicious actions. Use process management tools to kill the process identified by the alert. +- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise (IOCs) and assess the extent of the intrusion. +- Remove any malicious executables or files associated with the masquerading process from the system to ensure complete remediation. +- Restore the system from a known good backup if the integrity of the system is compromised, ensuring that the backup is free from any malicious artifacts. +- Update and patch the system to close any vulnerabilities that may have been exploited by the attacker, ensuring all software and security tools are up to date. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"] risk_score = 21 rule_id = "202829f6-0271-4e88-b882-11a655c590d4" @@ -66,40 +103,6 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name : ("kworker*", "kthread*") and process.executable != null ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Executable Masquerading as Kernel Process - -In Linux environments, kernel processes like `kthreadd` and `kworker` typically run without associated executable paths. Adversaries exploit this by naming malicious executables after these processes to evade detection. The detection rule identifies anomalies by flagging kernel-named processes with non-empty executable fields, indicating potential masquerading attempts. This helps in uncovering stealthy threats that mimic legitimate system activities. - -### Possible investigation steps - -- Review the process details for the flagged process, focusing on the process.executable field to identify the path and name of the executable. This can provide initial insights into whether the executable is legitimate or potentially malicious. -- Check the process's parent process (process.parent) to understand the context in which the process was started. This can help determine if the process was spawned by a legitimate system process or a suspicious one. -- Investigate the file at the path specified in the process.executable field. Verify its legitimacy by checking its hash against known malware databases or using a file reputation service. -- Examine the process's command line arguments (process.command_line) for any unusual or suspicious parameters that might indicate malicious activity. -- Review recent system logs and events around the time the process was started to identify any related activities or anomalies that could provide additional context or evidence of compromise. -- If available, use threat intelligence sources to check for any known indicators of compromise (IOCs) related to the process name or executable path. - -### False positive analysis - -- Custom scripts or administrative tools may be named similarly to kernel processes for convenience or organizational standards. Review these scripts and tools to ensure they are legitimate and consider adding them to an exception list if verified. -- Some legitimate software or monitoring tools might use kernel-like names for their processes to integrate closely with system operations. Verify the source and purpose of these processes and exclude them if they are confirmed to be non-malicious. -- System updates or patches might temporarily create processes with kernel-like names that have executable paths. Monitor these occurrences and exclude them if they are part of a verified update process. -- Development or testing environments may intentionally use kernel-like names for process simulation. Ensure these environments are isolated and add exceptions for these processes if they are part of controlled testing scenarios. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate the suspicious process immediately to stop any ongoing malicious actions. Use process management tools to kill the process identified by the alert. -- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise (IOCs) and assess the extent of the intrusion. -- Remove any malicious executables or files associated with the masquerading process from the system to ensure complete remediation. -- Restore the system from a known good backup if the integrity of the system is compromised, ensuring that the backup is free from any malicious artifacts. -- Update and patch the system to close any vulnerabilities that may have been exploited by the attacker, ensuring all software and security tools are up to date. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index fc677858c05..0614fe7bf30 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,42 @@ index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endg language = "eql" license = "Elastic License v2" name = "Dynamic Linker (ld.so) Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Dynamic Linker (ld.so) Creation + +The dynamic linker, ld.so, is crucial in Linux environments for loading shared libraries required by executables. Adversaries may exploit this by replacing it with a malicious version to execute unauthorized code, achieving persistence or evading defenses. The detection rule identifies suspicious creation of ld.so files, excluding benign processes, to flag potential threats. + +### Possible investigation steps + +- Review the process that triggered the alert by examining the process.executable field to understand which application attempted to create the ld.so file. +- Check the process.name field to ensure the process is not one of the benign processes listed in the exclusion criteria, such as "dockerd", "yum", "dnf", "microdnf", or "pacman". +- Investigate the file.path to confirm the location of the newly created ld.so file and verify if it matches any of the specified directories like "/lib", "/lib64", "/usr/lib", or "/usr/lib64". +- Analyze the parent process of the suspicious executable to determine if it was initiated by a legitimate or potentially malicious source. +- Look for any recent changes or anomalies in the system logs around the time of the file creation event to identify any related suspicious activities. +- Cross-reference the event with other security tools or logs, such as Elastic Defend or SentinelOne, to gather additional context or corroborating evidence of malicious activity. +- Assess the risk and impact of the event by considering the system's role and the potential consequences of a compromised dynamic linker on that system. + +### False positive analysis + +- Package managers like yum, dnf, microdnf, and pacman can trigger false positives when they update or install packages that involve the dynamic linker. These processes are already excluded in the rule, but ensure any custom package managers or scripts are also considered for exclusion. +- Container management tools such as dockerd may create or modify ld.so files during container operations. If you use other container tools, consider adding them to the exclusion list to prevent false positives. +- System updates or maintenance scripts that involve library updates might create ld.so files. Review these scripts and add them to the exclusion list if they are verified as non-threatening. +- Custom administrative scripts or automation tools that interact with shared libraries could inadvertently trigger the rule. Identify these scripts and exclude them if they are part of regular, secure operations. +- Development environments where ld.so files are frequently created or modified during testing and compilation processes may need specific exclusions for development tools or environments to avoid false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Verify the integrity of the dynamic linker (ld.so) on the affected system by comparing it with a known good version from a trusted source or repository. +- If the dynamic linker has been tampered with, replace it with the verified version and ensure all system binaries are intact. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malicious files or processes. +- Review system logs and the process creation history to identify the source of the unauthorized ld.so creation and any associated malicious activity. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. +- Implement additional monitoring and alerting for similar suspicious activities, such as unauthorized file creations in critical system directories, to enhance future detection capabilities.""" risk_score = 21 rule_id = "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a" setup = """## Setup @@ -60,93 +94,58 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.path like~ ("/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*") and not process.name in ("dockerd", "yum", "dnf", "microdnf", "pacman") ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Dynamic Linker (ld.so) Creation - -The dynamic linker, ld.so, is crucial in Linux environments for loading shared libraries required by executables. Adversaries may exploit this by replacing it with a malicious version to execute unauthorized code, achieving persistence or evading defenses. The detection rule identifies suspicious creation of ld.so files, excluding benign processes, to flag potential threats. - -### Possible investigation steps - -- Review the process that triggered the alert by examining the process.executable field to understand which application attempted to create the ld.so file. -- Check the process.name field to ensure the process is not one of the benign processes listed in the exclusion criteria, such as "dockerd", "yum", "dnf", "microdnf", or "pacman". -- Investigate the file.path to confirm the location of the newly created ld.so file and verify if it matches any of the specified directories like "/lib", "/lib64", "/usr/lib", or "/usr/lib64". -- Analyze the parent process of the suspicious executable to determine if it was initiated by a legitimate or potentially malicious source. -- Look for any recent changes or anomalies in the system logs around the time of the file creation event to identify any related suspicious activities. -- Cross-reference the event with other security tools or logs, such as Elastic Defend or SentinelOne, to gather additional context or corroborating evidence of malicious activity. -- Assess the risk and impact of the event by considering the system's role and the potential consequences of a compromised dynamic linker on that system. - -### False positive analysis - -- Package managers like yum, dnf, microdnf, and pacman can trigger false positives when they update or install packages that involve the dynamic linker. These processes are already excluded in the rule, but ensure any custom package managers or scripts are also considered for exclusion. -- Container management tools such as dockerd may create or modify ld.so files during container operations. If you use other container tools, consider adding them to the exclusion list to prevent false positives. -- System updates or maintenance scripts that involve library updates might create ld.so files. Review these scripts and add them to the exclusion list if they are verified as non-threatening. -- Custom administrative scripts or automation tools that interact with shared libraries could inadvertently trigger the rule. Identify these scripts and exclude them if they are part of regular, secure operations. -- Development environments where ld.so files are frequently created or modified during testing and compilation processes may need specific exclusions for development tools or environments to avoid false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Verify the integrity of the dynamic linker (ld.so) on the affected system by comparing it with a known good version from a trusted source or repository. -- If the dynamic linker has been tampered with, replace it with the verified version and ensure all system binaries are intact. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malicious files or processes. -- Review system logs and the process creation history to identify the source of the unauthorized ld.so creation and any associated malicious activity. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. -- Implement additional monitoring and alerting for similar suspicious activities, such as unauthorized file creations in critical system directories, to enhance future detection capabilities.""" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - id = "T1218" - name = "System Binary Proxy Execution" - reference = "https://attack.mitre.org/techniques/T1218/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 814aee33818..af7b10504f1 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentine language = "eql" license = "Elastic License v2" name = "System Log File Deletion" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating System Log File Deletion + +System logs are crucial for monitoring and auditing activities on Linux systems, providing insights into system events and user actions. Adversaries may delete these logs to cover their tracks, hindering forensic investigations. The detection rule identifies suspicious deletions of key log files, excluding benign processes like compression tools, to flag potential evasion attempts. This helps security analysts quickly respond to and investigate unauthorized log deletions. + +### Possible investigation steps + +- Review the specific file path involved in the deletion event to determine which log file was targeted, using the file.path field from the alert. +- Investigate the process responsible for the deletion by examining the process.name and related process metadata to identify any suspicious or unauthorized activity. +- Check for any recent login or session activity around the time of the log deletion by reviewing other logs or authentication records, focusing on the /var/log/auth.log and /var/log/secure files if they are still available. +- Analyze the user account associated with the deletion event to determine if it has a history of suspicious activity or if it was potentially compromised. +- Correlate the deletion event with other security alerts or anomalies in the system to identify any patterns or related incidents that might indicate a broader attack or compromise. +- Assess the impact of the log deletion on the system's security posture and determine if any critical forensic evidence has been lost, considering the importance of the deleted log file. + +### False positive analysis + +- Compression tools like gzip may trigger false positives when they temporarily delete log files during compression. To mitigate this, ensure gzip is included in the exclusion list within the detection rule. +- Automated system maintenance scripts might delete or rotate log files as part of routine operations. Review these scripts and add their process names to the exclusion list if they are verified as non-threatening. +- Docker-related processes, such as dockerd, can also cause false positives when managing container logs. Confirm these activities are legitimate and include dockerd in the exclusion list to prevent unnecessary alerts. +- Custom backup or log management tools may delete logs as part of their normal function. Identify these tools and add their process names to the exclusion list after verifying their benign nature. +- Scheduled tasks or cron jobs that manage log files should be reviewed. If they are confirmed to be safe, their associated process names should be added to the exclusion list to avoid false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data tampering. +- Conduct a thorough review of user accounts and permissions on the affected system to identify any unauthorized access or privilege escalation. +- Restore deleted log files from backups if available, to aid in further forensic analysis and to maintain system integrity. +- Implement enhanced monitoring on the affected system and similar systems to detect any further unauthorized log deletions or suspicious activities. +- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach. +- Review and update security policies and configurations to ensure that only authorized processes can delete critical log files, leveraging access controls and audit policies. +- Consider deploying additional endpoint detection and response (EDR) solutions to improve visibility and detection capabilities for similar threats in the future.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", @@ -96,41 +129,6 @@ file where host.os.type == "linux" and event.type == "deletion" and ) and not process.name in ("gzip", "executor", "dockerd") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating System Log File Deletion - -System logs are crucial for monitoring and auditing activities on Linux systems, providing insights into system events and user actions. Adversaries may delete these logs to cover their tracks, hindering forensic investigations. The detection rule identifies suspicious deletions of key log files, excluding benign processes like compression tools, to flag potential evasion attempts. This helps security analysts quickly respond to and investigate unauthorized log deletions. - -### Possible investigation steps - -- Review the specific file path involved in the deletion event to determine which log file was targeted, using the file.path field from the alert. -- Investigate the process responsible for the deletion by examining the process.name and related process metadata to identify any suspicious or unauthorized activity. -- Check for any recent login or session activity around the time of the log deletion by reviewing other logs or authentication records, focusing on the /var/log/auth.log and /var/log/secure files if they are still available. -- Analyze the user account associated with the deletion event to determine if it has a history of suspicious activity or if it was potentially compromised. -- Correlate the deletion event with other security alerts or anomalies in the system to identify any patterns or related incidents that might indicate a broader attack or compromise. -- Assess the impact of the log deletion on the system's security posture and determine if any critical forensic evidence has been lost, considering the importance of the deleted log file. - -### False positive analysis - -- Compression tools like gzip may trigger false positives when they temporarily delete log files during compression. To mitigate this, ensure gzip is included in the exclusion list within the detection rule. -- Automated system maintenance scripts might delete or rotate log files as part of routine operations. Review these scripts and add their process names to the exclusion list if they are verified as non-threatening. -- Docker-related processes, such as dockerd, can also cause false positives when managing container logs. Confirm these activities are legitimate and include dockerd in the exclusion list to prevent unnecessary alerts. -- Custom backup or log management tools may delete logs as part of their normal function. Identify these tools and add their process names to the exclusion list after verifying their benign nature. -- Scheduled tasks or cron jobs that manage log files should be reviewed. If they are confirmed to be safe, their associated process names should be added to the exclusion list to avoid false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data tampering. -- Conduct a thorough review of user accounts and permissions on the affected system to identify any unauthorized access or privilege escalation. -- Restore deleted log files from backups if available, to aid in further forensic analysis and to maintain system integrity. -- Implement enhanced monitoring on the affected system and similar systems to detect any further unauthorized log deletions or suspicious activities. -- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach. -- Review and update security policies and configurations to ensure that only authorized processes can delete critical log files, leveraging access controls and audit policies. -- Consider deploying additional endpoint detection and response (EDR) solutions to improve visibility and detection capabilities for similar threats in the future.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index b1b3758bffa..e410da79cdb 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,10 +16,51 @@ hidepid option all the user has to do is remount the /proc filesystem with the o detected. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Hidden Process via Mount Hidepid + +The 'hidepid' mount option in Linux allows users to restrict visibility of process information in the /proc filesystem, enhancing privacy by limiting process visibility to the owner. Adversaries exploit this by remounting /proc with 'hidepid=2', concealing their processes from non-root users and evading detection tools like ps or top. The detection rule identifies such activity by monitoring for the execution of the mount command with specific arguments, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Review the alert details to confirm the presence of the 'mount' process execution with arguments indicating '/proc' and 'hidepid=2'. +- Check the user account associated with the process execution to determine if it is a legitimate administrative user or a potential adversary. +- Investigate the parent process of the 'mount' command to understand the context and origin of the execution, ensuring it is not part of a known or legitimate administrative script. +- Examine recent login activity and user sessions on the host to identify any unauthorized access or suspicious behavior around the time of the alert. +- Analyze other processes running on the system to identify any hidden or suspicious activities that might be related to the use of 'hidepid=2'. +- Review system logs and audit logs for any additional indicators of compromise or related suspicious activities that coincide with the alert. + +### False positive analysis + +- System administrators or automated scripts may remount /proc with hidepid=2 for legitimate privacy or security reasons. To handle this, create exceptions for known administrative scripts or users by excluding their specific command lines or user IDs. +- Some security tools or monitoring solutions might use hidepid=2 as part of their normal operation to enhance system security. Identify these tools and exclude their processes from triggering alerts by adding them to an allowlist. +- Cloud environments or containerized applications might use hidepid=2 to isolate processes for multi-tenant security. Review the environment's standard operating procedures and exclude these known behaviors from detection. +- Regular system updates or maintenance scripts might temporarily use hidepid=2. Document these occurrences and adjust the detection rule to ignore these specific maintenance windows or scripts. +- If using a specific Linux distribution that employs hidepid=2 by default for certain operations, verify these defaults and configure the detection rule to exclude them. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Use root privileges to remount the /proc filesystem without the 'hidepid=2' option to restore visibility of all processes. +- Conduct a thorough review of running processes and system logs to identify any unauthorized or suspicious activities that may have been concealed. +- Terminate any identified malicious processes and remove any associated files or scripts from the system. +- Change all system and user passwords to prevent unauthorized access, especially if credential theft is suspected. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and alerting for future attempts to use the 'hidepid' option, ensuring rapid detection and response.""" references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"] risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" @@ -64,57 +103,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "executed", "process_started") and process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and not process.parent.command_line like "/opt/cloudlinux/*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Hidden Process via Mount Hidepid -The 'hidepid' mount option in Linux allows users to restrict visibility of process information in the /proc filesystem, enhancing privacy by limiting process visibility to the owner. Adversaries exploit this by remounting /proc with 'hidepid=2', concealing their processes from non-root users and evading detection tools like ps or top. The detection rule identifies such activity by monitoring for the execution of the mount command with specific arguments, flagging potential misuse for further investigation. - -### Possible investigation steps - -- Review the alert details to confirm the presence of the 'mount' process execution with arguments indicating '/proc' and 'hidepid=2'. -- Check the user account associated with the process execution to determine if it is a legitimate administrative user or a potential adversary. -- Investigate the parent process of the 'mount' command to understand the context and origin of the execution, ensuring it is not part of a known or legitimate administrative script. -- Examine recent login activity and user sessions on the host to identify any unauthorized access or suspicious behavior around the time of the alert. -- Analyze other processes running on the system to identify any hidden or suspicious activities that might be related to the use of 'hidepid=2'. -- Review system logs and audit logs for any additional indicators of compromise or related suspicious activities that coincide with the alert. - -### False positive analysis - -- System administrators or automated scripts may remount /proc with hidepid=2 for legitimate privacy or security reasons. To handle this, create exceptions for known administrative scripts or users by excluding their specific command lines or user IDs. -- Some security tools or monitoring solutions might use hidepid=2 as part of their normal operation to enhance system security. Identify these tools and exclude their processes from triggering alerts by adding them to an allowlist. -- Cloud environments or containerized applications might use hidepid=2 to isolate processes for multi-tenant security. Review the environment's standard operating procedures and exclude these known behaviors from detection. -- Regular system updates or maintenance scripts might temporarily use hidepid=2. Document these occurrences and adjust the detection rule to ignore these specific maintenance windows or scripts. -- If using a specific Linux distribution that employs hidepid=2 by default for certain operations, verify these defaults and configure the detection rule to exclude them. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Use root privileges to remount the /proc filesystem without the 'hidepid=2' option to restore visibility of all processes. -- Conduct a thorough review of running processes and system logs to identify any unauthorized or suspicious activities that may have been concealed. -- Terminate any identified malicious processes and remove any associated files or scripts from the system. -- Change all system and user passwords to prevent unauthorized access, especially if credential theft is suspected. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and alerting for future attempts to use the 'hidepid' option, ensuring rapid detection and response.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 40d530a9378..81f8afa2c99 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,10 +18,48 @@ malicious payload or elevate privileges or perform network scans or orchestrate Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Defense Evasion via PRoot + +PRoot is a versatile tool that emulates a chroot-like environment, allowing users to run applications across different Linux distributions seamlessly. Adversaries exploit PRoot to create consistent environments for executing malicious payloads, bypassing traditional defenses. The detection rule identifies suspicious PRoot activity by monitoring process executions initiated by PRoot, flagging potential misuse for defense evasion. + +### Possible investigation steps + +- Review the process tree to identify the parent process of PRoot and any child processes it spawned, focusing on the process.parent.name field to confirm PRoot as the parent. +- Examine the command line arguments used with PRoot to understand the context of its execution and identify any potentially malicious payloads or scripts being executed. +- Check the user account associated with the PRoot process to determine if it aligns with expected usage patterns or if it indicates potential compromise. +- Investigate the network activity associated with the PRoot process to identify any unusual connections or data transfers that could suggest malicious intent. +- Correlate the PRoot activity with other security alerts or logs to identify any related suspicious behavior or indicators of compromise within the same timeframe. + +### False positive analysis + +- Legitimate use of PRoot for cross-distribution development or testing environments may trigger alerts. Users can create exceptions for known development teams or specific projects that require PRoot for legitimate purposes. +- System administrators using PRoot for system maintenance or migration tasks might be flagged. To mitigate this, document and whitelist these activities by correlating them with scheduled maintenance windows or specific administrator accounts. +- Security researchers or penetration testers employing PRoot for controlled testing scenarios could cause false positives. Establish a process to identify and exclude these activities by verifying the involved personnel and their testing scope. +- Automated scripts or tools that utilize PRoot for non-malicious purposes, such as software compatibility testing, should be reviewed. Implement a tagging system to differentiate these benign activities from potential threats, allowing for easier exclusion in future detections. + +### Response and remediation + +- Isolate the affected system immediately to prevent further spread of the threat across the network. Disconnect it from the network and any shared resources. +- Terminate any suspicious processes initiated by PRoot to halt any ongoing malicious activities. Use process management tools to identify and kill these processes. +- Conduct a thorough examination of the filesystem for any unauthorized changes or suspicious files that may have been introduced by the adversary using PRoot. +- Restore the system from a known good backup if any malicious modifications are detected, ensuring that the backup is free from compromise. +- Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited. +- Implement enhanced monitoring for PRoot activity across the environment to detect any future unauthorized use. This includes setting up alerts for any process executions with PRoot as the parent process. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = ["https://proot-me.github.io/"] risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" @@ -71,39 +107,6 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name == "proot" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Defense Evasion via PRoot - -PRoot is a versatile tool that emulates a chroot-like environment, allowing users to run applications across different Linux distributions seamlessly. Adversaries exploit PRoot to create consistent environments for executing malicious payloads, bypassing traditional defenses. The detection rule identifies suspicious PRoot activity by monitoring process executions initiated by PRoot, flagging potential misuse for defense evasion. - -### Possible investigation steps - -- Review the process tree to identify the parent process of PRoot and any child processes it spawned, focusing on the process.parent.name field to confirm PRoot as the parent. -- Examine the command line arguments used with PRoot to understand the context of its execution and identify any potentially malicious payloads or scripts being executed. -- Check the user account associated with the PRoot process to determine if it aligns with expected usage patterns or if it indicates potential compromise. -- Investigate the network activity associated with the PRoot process to identify any unusual connections or data transfers that could suggest malicious intent. -- Correlate the PRoot activity with other security alerts or logs to identify any related suspicious behavior or indicators of compromise within the same timeframe. - -### False positive analysis - -- Legitimate use of PRoot for cross-distribution development or testing environments may trigger alerts. Users can create exceptions for known development teams or specific projects that require PRoot for legitimate purposes. -- System administrators using PRoot for system maintenance or migration tasks might be flagged. To mitigate this, document and whitelist these activities by correlating them with scheduled maintenance windows or specific administrator accounts. -- Security researchers or penetration testers employing PRoot for controlled testing scenarios could cause false positives. Establish a process to identify and exclude these activities by verifying the involved personnel and their testing scope. -- Automated scripts or tools that utilize PRoot for non-malicious purposes, such as software compatibility testing, should be reviewed. Implement a tagging system to differentiate these benign activities from potential threats, allowing for easier exclusion in future detections. - -### Response and remediation - -- Isolate the affected system immediately to prevent further spread of the threat across the network. Disconnect it from the network and any shared resources. -- Terminate any suspicious processes initiated by PRoot to halt any ongoing malicious activities. Use process management tools to identify and kill these processes. -- Conduct a thorough examination of the filesystem for any unauthorized changes or suspicious files that may have been introduced by the adversary using PRoot. -- Restore the system from a known good backup if any malicious modifications are detected, ensuring that the backup is free from compromise. -- Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited. -- Implement enhanced monitoring for PRoot activity across the environment to detect any future unauthorized use. This includes setting up alerts for any process executions with PRoot as the parent process. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/defense_evasion_root_certificate_installation.toml b/rules/linux/defense_evasion_root_certificate_installation.toml index cb8237b8ef3..4b24678e171 100644 --- a/rules/linux/defense_evasion_root_certificate_installation.toml +++ b/rules/linux/defense_evasion_root_certificate_installation.toml @@ -2,9 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -12,14 +10,52 @@ description = """ This rule detects the installation of root certificates on a Linux system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the -system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. +system or application will trust certificates in the root's chain of trust that have been signed by the root +certificate. """ from = "now-9m" index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Root Certificate Installation" -references = ["https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md"] +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Root Certificate Installation + +Root certificates are pivotal in establishing trust within public key infrastructures, enabling secure communications by verifying the authenticity of entities. Adversaries exploit this by installing rogue root certificates on compromised Linux systems, thus bypassing security warnings and facilitating undetected command and control communications. The detection rule identifies suspicious certificate installations by monitoring specific processes and excluding legitimate parent processes, thereby highlighting potential unauthorized activities. + +### Possible investigation steps + +- Review the process details to confirm the execution of "update-ca-trust" or "update-ca-certificates" on the Linux host, focusing on the event type "start" and action "exec" or "exec_event". +- Examine the parent process name and arguments to ensure they do not match any of the legitimate exclusions such as "ca-certificates.postinst", "pacman", or "/var/tmp/rpm*". +- Investigate the user account associated with the process to determine if it is a known or expected user for such operations. +- Check the system logs and recent changes to identify any unauthorized modifications or installations that coincide with the alert. +- Correlate the alert with other security events or logs to identify any potential command and control communications or other suspicious activities on the host. +- Assess the network connections from the host around the time of the alert to detect any unusual or unauthorized outbound traffic. + +### False positive analysis + +- Legitimate system updates or package installations may trigger the rule when processes like "update-ca-trust" or "update-ca-certificates" are executed by trusted package managers such as "pacman" or "pamac-daemon". To mitigate this, ensure these parent processes are included in the exclusion list. +- Automated scripts or system maintenance tasks that use shell scripts (e.g., "sh", "bash", "zsh") to update certificates might be flagged. If these scripts are verified as safe, consider adding specific script names or paths to the exclusion criteria. +- Custom applications or services that require certificate updates and are known to be safe can be excluded by adding their parent process names to the exclusion list, ensuring they do not trigger false alerts. +- Security tools or agents like "kesl" or "execd" that manage certificates as part of their operations may cause false positives. Verify their activities and include them in the exclusion list if they are part of legitimate security operations. +- Temporary files or scripts located in directories like "/var/tmp/rpm*" used during legitimate installations should be reviewed and excluded if they are part of routine system operations. + +### Response and remediation + +- Immediately isolate the affected Linux system from the network to prevent further unauthorized communications with potential command and control servers. +- Revoke any unauthorized root certificates installed on the system by removing them from the trusted certificate store to restore the integrity of the system's trust chain. +- Conduct a thorough review of system logs and process execution history to identify any additional unauthorized activities or changes made by the adversary. +- Restore the system from a known good backup if unauthorized changes or persistent threats are detected that cannot be easily remediated. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited by the adversary. +- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on process executions related to certificate management. +- Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", +] risk_score = 47 rule_id = "6ded0996-7d4b-40f2-bf4a-6913e7591795" setup = """## Setup @@ -60,6 +96,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.name in ("update-ca-trust", "update-ca-certificates") and not ( @@ -71,56 +108,23 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( (process.parent.name in ("sh", "bash", "zsh") and process.args == "-e") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Root Certificate Installation - -Root certificates are pivotal in establishing trust within public key infrastructures, enabling secure communications by verifying the authenticity of entities. Adversaries exploit this by installing rogue root certificates on compromised Linux systems, thus bypassing security warnings and facilitating undetected command and control communications. The detection rule identifies suspicious certificate installations by monitoring specific processes and excluding legitimate parent processes, thereby highlighting potential unauthorized activities. - -### Possible investigation steps - -- Review the process details to confirm the execution of "update-ca-trust" or "update-ca-certificates" on the Linux host, focusing on the event type "start" and action "exec" or "exec_event". -- Examine the parent process name and arguments to ensure they do not match any of the legitimate exclusions such as "ca-certificates.postinst", "pacman", or "/var/tmp/rpm*". -- Investigate the user account associated with the process to determine if it is a known or expected user for such operations. -- Check the system logs and recent changes to identify any unauthorized modifications or installations that coincide with the alert. -- Correlate the alert with other security events or logs to identify any potential command and control communications or other suspicious activities on the host. -- Assess the network connections from the host around the time of the alert to detect any unusual or unauthorized outbound traffic. - -### False positive analysis - -- Legitimate system updates or package installations may trigger the rule when processes like "update-ca-trust" or "update-ca-certificates" are executed by trusted package managers such as "pacman" or "pamac-daemon". To mitigate this, ensure these parent processes are included in the exclusion list. -- Automated scripts or system maintenance tasks that use shell scripts (e.g., "sh", "bash", "zsh") to update certificates might be flagged. If these scripts are verified as safe, consider adding specific script names or paths to the exclusion criteria. -- Custom applications or services that require certificate updates and are known to be safe can be excluded by adding their parent process names to the exclusion list, ensuring they do not trigger false alerts. -- Security tools or agents like "kesl" or "execd" that manage certificates as part of their operations may cause false positives. Verify their activities and include them in the exclusion list if they are part of legitimate security operations. -- Temporary files or scripts located in directories like "/var/tmp/rpm*" used during legitimate installations should be reviewed and excluded if they are part of routine system operations. - -### Response and remediation - -- Immediately isolate the affected Linux system from the network to prevent further unauthorized communications with potential command and control servers. -- Revoke any unauthorized root certificates installed on the system by removing them from the trusted certificate store to restore the integrity of the system's trust chain. -- Conduct a thorough review of system logs and process execution history to identify any additional unauthorized activities or changes made by the adversary. -- Restore the system from a known good backup if unauthorized changes or persistent threats are detected that cannot be easily remediated. -- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited by the adversary. -- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on process executions related to certificate management. -- Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" - [[rule.threat.technique.subtechnique]] id = "T1553.004" name = "Install Root Certificate" reference = "https://attack.mitre.org/techniques/T1553/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_ssl_certificate_deletion.toml b/rules/linux/defense_evasion_ssl_certificate_deletion.toml index da071c01019..22da9958272 100644 --- a/rules/linux/defense_evasion_ssl_certificate_deletion.toml +++ b/rules/linux/defense_evasion_ssl_certificate_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endg language = "eql" license = "Elastic License v2" name = "SSL Certificate Deletion" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SSL Certificate Deletion +SSL certificates are crucial for establishing secure communications in Linux environments. Adversaries may delete these certificates to undermine trust and disrupt system operations, often as part of defense evasion tactics. The detection rule identifies suspicious deletions by monitoring specific directories for certificate files, excluding benign processes, thus highlighting potential malicious activity. + +### Possible investigation steps + +- Review the alert details to confirm the file path and extension of the deleted SSL certificate, ensuring it matches the pattern "/etc/ssl/certs/*" with extensions "pem" or "crt". +- Identify the process responsible for the deletion by examining the process name and compare it against the exclusion list (e.g., "dockerd", "pacman") to determine if the process is potentially malicious. +- Investigate the user account associated with the process that performed the deletion to assess if the account has a history of suspicious activity or unauthorized access. +- Check system logs and audit trails around the time of the deletion event to identify any related activities or anomalies that could indicate a broader attack or compromise. +- Assess the impact of the certificate deletion on system operations and security, including any disruptions to secure communications or trust relationships. +- If the deletion is deemed suspicious, consider restoring the deleted certificate from backups and implementing additional monitoring to detect further unauthorized deletions. + +### False positive analysis + +- Routine system updates or package installations may trigger certificate deletions. Exclude processes like package managers or update services that are known to perform these actions. +- Automated certificate renewal services might delete old certificates as part of their renewal process. Identify and exclude these services to prevent false alerts. +- Custom scripts or maintenance tasks that manage SSL certificates could be flagged. Review and whitelist these scripts if they are verified as non-malicious. +- Backup or cleanup operations that involve certificate files might cause false positives. Ensure these operations are recognized and excluded from monitoring. +- Development or testing environments where certificates are frequently added and removed can generate alerts. Consider excluding these environments if they are isolated and secure. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or damage. +- Verify the deletion of SSL certificates by checking the specified directories and confirm the absence of expected certificate files. +- Restore deleted SSL certificates from a secure backup to re-establish secure communications and trust controls. +- Conduct a thorough review of system logs and process activity to identify the source of the deletion and any associated malicious activity. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring on the affected system and similar environments to detect any further unauthorized deletions or related suspicious activities. +- Review and update access controls and permissions to ensure only authorized processes and users can modify or delete SSL certificates.""" risk_score = 21 rule_id = "7957f3b9-f590-4062-b9f9-003c32bfc7d6" setup = """## Setup @@ -58,77 +90,45 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating SSL Certificate Deletion -SSL certificates are crucial for establishing secure communications in Linux environments. Adversaries may delete these certificates to undermine trust and disrupt system operations, often as part of defense evasion tactics. The detection rule identifies suspicious deletions by monitoring specific directories for certificate files, excluding benign processes, thus highlighting potential malicious activity. - -### Possible investigation steps - -- Review the alert details to confirm the file path and extension of the deleted SSL certificate, ensuring it matches the pattern "/etc/ssl/certs/*" with extensions "pem" or "crt". -- Identify the process responsible for the deletion by examining the process name and compare it against the exclusion list (e.g., "dockerd", "pacman") to determine if the process is potentially malicious. -- Investigate the user account associated with the process that performed the deletion to assess if the account has a history of suspicious activity or unauthorized access. -- Check system logs and audit trails around the time of the deletion event to identify any related activities or anomalies that could indicate a broader attack or compromise. -- Assess the impact of the certificate deletion on system operations and security, including any disruptions to secure communications or trust relationships. -- If the deletion is deemed suspicious, consider restoring the deleted certificate from backups and implementing additional monitoring to detect further unauthorized deletions. - -### False positive analysis - -- Routine system updates or package installations may trigger certificate deletions. Exclude processes like package managers or update services that are known to perform these actions. -- Automated certificate renewal services might delete old certificates as part of their renewal process. Identify and exclude these services to prevent false alerts. -- Custom scripts or maintenance tasks that manage SSL certificates could be flagged. Review and whitelist these scripts if they are verified as non-malicious. -- Backup or cleanup operations that involve certificate files might cause false positives. Ensure these operations are recognized and excluded from monitoring. -- Development or testing environments where certificates are frequently added and removed can generate alerts. Consider excluding these environments if they are isolated and secure. -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or damage. -- Verify the deletion of SSL certificates by checking the specified directories and confirm the absence of expected certificate files. -- Restore deleted SSL certificates from a secure backup to re-establish secure communications and trust controls. -- Conduct a thorough review of system logs and process activity to identify the source of the deletion and any associated malicious activity. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement additional monitoring on the affected system and similar environments to detect any further unauthorized deletions or related suspicious activities. -- Review and update access controls and permissions to ensure only authorized processes and users can modify or delete SSL certificates.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 244d0e21321..906fb674111 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,34 +12,15 @@ directly, the commands will be executed in the background via its parent process to execute commands while attempting to evade detection. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potentially Suspicious Process Started via tmux or screen" -risk_score = 21 -rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - process.parent.name in ("screen", "tmux") and process.name like ( - "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "php*", "perl", "ruby", "lua*", - "openssl", "telnet", "wget", "curl", "id" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,16 +55,43 @@ Tmux and screen are terminal multiplexers that allow users to manage multiple te - Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. - Implement network monitoring to detect any unusual outbound connections or data exfiltration attempts from the affected host. - Update and enhance detection rules to include additional suspicious command patterns or behaviors observed during the investigation.""" +risk_score = 21 +rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + process.parent.name in ("screen", "tmux") and process.name like ( + "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "php*", "perl", "ruby", "lua*", + "openssl", "telnet", "wget", "curl", "id" + ) +''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index 495f1231df6..062c9838029 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/03/11" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -18,6 +18,41 @@ index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endg language = "kuery" license = "Elastic License v2" name = "File Creation in /var/log via Suspicious Process" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File Creation in /var/log via Suspicious Process + +In Linux environments, the `/var/log` directory is crucial for storing system logs, which are essential for monitoring and troubleshooting. Adversaries may exploit this by creating files in this directory using executables from insecure locations, aiming to conceal their activities. The detection rule identifies such suspicious file creations by monitoring processes from world-writable or hidden paths, flagging potential evasion tactics. + +### Possible investigation steps + +- Review the process executable path to determine if it originates from a world-writable or hidden location such as /tmp, /var/tmp, /dev/shm, or similar directories. This can indicate potential malicious activity. +- Examine the process name and its parent process to understand the context of the file creation and identify if it is associated with known legitimate or suspicious activities. +- Check the file path in /var/log to see if the created file has any unusual naming conventions or lacks a file extension, which might suggest an attempt to hide or disguise the file. +- Investigate the user account under which the process was executed to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior. +- Correlate the event with other logs or alerts from the same host to identify any related suspicious activities or patterns that could indicate a broader compromise. +- Assess the risk and impact of the file creation by considering the severity and risk score provided, and prioritize further actions based on this assessment. + +### False positive analysis + +- System maintenance scripts or legitimate applications may create temporary log files in /var/log using executables from directories like /tmp or /var/tmp. To handle this, identify and whitelist these known processes by their executable paths. +- Automated backup or monitoring tools might generate files in /var/log as part of their routine operations. Review these tools and exclude their processes from the rule to prevent unnecessary alerts. +- Development or testing environments often involve scripts that create log files in /var/log for debugging purposes. Consider excluding these environments from the rule or creating specific exceptions for known development processes. +- Some system updates or package installations might temporarily use world-writable directories for executable scripts that interact with /var/log. Monitor these activities and create exceptions for trusted update processes to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified as originating from world-writable or hidden paths, especially those involved in file creation within /var/log. +- Conduct a thorough review of the files created in /var/log to determine if they contain malicious content or scripts, and remove any unauthorized files. +- Restore any affected system files or logs from a known good backup to ensure system integrity and continuity of logging. +- Implement stricter permissions on directories like /tmp, /var/tmp, and /dev/shm to prevent unauthorized execution of processes from these locations. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems are compromised. +- Update and enhance monitoring rules to detect similar suspicious activities in the future, focusing on process execution from insecure locations and unauthorized file creation in critical directories. +""" risk_score = 21 rule_id = "ddf26e25-3e30-42b2-92db-bde8eb82ad67" setup = """## Setup @@ -56,6 +91,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/discovery_docker_socket_discovery.toml b/rules/linux/discovery_docker_socket_discovery.toml index afd35769dd8..1cd511a6daf 100644 --- a/rules/linux/discovery_docker_socket_discovery.toml +++ b/rules/linux/discovery_docker_socket_discovery.toml @@ -2,24 +2,65 @@ creation_date = "2025/03/04" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/03/04" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule detects potential Docker socket enumeration activity by monitoring processes that attempt to interact with -the Docker socket file (/var/run/docker.sock). Docker socket enumeration is a common technique used by attackers to -interact with the Docker daemon and perform various operations, such as creating, starting, stopping, and removing -containers. Attackers may abuse Docker socket enumeration to gain unauthorized access to the host system, escalate -privileges, or move laterally within the environment. +This rule detects potential Docker socket enumeration activity by monitoring processes that attempt to interact with the +Docker socket file (/var/run/docker.sock). Docker socket enumeration is a common technique used by attackers to interact +with the Docker daemon and perform various operations, such as creating, starting, stopping, and removing containers. +Attackers may abuse Docker socket enumeration to gain unauthorized access to the host system, escalate privileges, or +move laterally within the environment. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Docker Socket Enumeration" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Docker Socket Enumeration + +Docker sockets facilitate communication between the Docker client and daemon, enabling container management. Adversaries exploit this by accessing the socket to control containers, potentially escalating privileges or moving laterally. The detection rule identifies suspicious processes interacting with the Docker socket, using specific commands, to flag unauthorized enumeration attempts. + +### Possible investigation steps + +- Review the process details to confirm the presence of suspicious commands interacting with the Docker socket, specifically looking for the use of tools like curl, socat, nc, netcat, ncat, or nc.traditional. +- Examine the command line arguments of the flagged process to understand the intent and scope of the interaction with the Docker socket, focusing on paths like /var/run/docker.sock or /run/docker.sock. +- Identify the user account under which the suspicious process was executed to assess if it has legitimate access to Docker resources or if it might be compromised. +- Check the historical activity of the involved user and process to determine if this behavior is anomalous or part of a known pattern. +- Investigate any recent changes or deployments in the Docker environment that might explain the interaction with the Docker socket, such as new container setups or updates. +- Correlate the alert with other security events or logs from the same host or network segment to identify potential lateral movement or privilege escalation attempts. + +### False positive analysis + +- Legitimate administrative tasks using tools like curl or socat to interact with Docker for monitoring or management purposes can trigger alerts. To handle this, create exceptions for specific user accounts or scripts that are known to perform these tasks regularly. +- Automated scripts or services that check the status of Docker containers might be flagged. Identify these scripts and whitelist their process names or command lines to prevent unnecessary alerts. +- Development environments where developers frequently use command-line tools to interact with Docker may cause false positives. Consider excluding specific development machines or user groups from the rule to reduce noise. +- Continuous integration or deployment pipelines that use Docker commands as part of their workflow can be mistaken for enumeration attempts. Exclude these processes by identifying their unique command patterns or execution contexts. +- Security tools that perform regular audits or checks on Docker environments might trigger the rule. Verify these tools and add them to an exception list to avoid false alerts. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified in the alert that are interacting with the Docker socket, such as those using curl, socat, or netcat. +- Conduct a thorough review of Docker containers on the affected host to identify any unauthorized or malicious containers. Stop and remove any that are not recognized or are deemed suspicious. +- Check for any unauthorized changes to Docker configurations or images and revert them to a known good state. +- Review and restrict permissions on the Docker socket file (/var/run/docker.sock) to limit access to only trusted users and processes. +- Escalate the incident to the security operations team for further investigation and to determine if additional hosts or systems are affected. +- Implement enhanced monitoring and logging for Docker socket interactions to detect and respond to similar threats more quickly in the future. +""" risk_score = 21 rule_id = "dd983e79-22e8-44d1-9173-d57dba514cac" setup = """## Setup @@ -58,10 +99,12 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and @@ -69,15 +112,17 @@ process.name in ("curl", "socat", "nc", "netcat", "ncat", "nc.traditional") and process.command_line like ("*/var/run/docker.sock*", "*/run/docker.sock*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 5630ad2483e..dc05592fcc1 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,10 +13,50 @@ for examining and debugging binary files or data streams. Attackers can leverage identifying injection points and craft exploits based on the observed behaviors and structures within these files. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Dynamic Linker Discovery via od" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Dynamic Linker Discovery via od + +The dynamic linker in Linux environments is crucial for loading shared libraries needed by programs. Attackers may exploit the `od` utility to inspect these linkers, seeking vulnerabilities for code injection. The detection rule identifies suspicious use of `od` targeting specific linker files, flagging potential reconnaissance activities that could precede an exploit attempt. + +### Possible investigation steps + +- Review the process execution details to confirm the use of the 'od' utility, focusing on the process name and arguments to ensure they match the suspicious patterns identified in the query. +- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears anomalous. +- Check the system's process execution history for any other unusual or related activities around the same time, such as attempts to access or modify linker files. +- Analyze any network connections or data transfers initiated by the host around the time of the alert to identify potential data exfiltration or communication with known malicious IPs. +- Correlate this event with other security alerts or logs from the same host to identify patterns or sequences of actions that could indicate a broader attack campaign. + +### False positive analysis + +- System administrators or developers may use the od utility to inspect dynamic linker files for legitimate debugging or system maintenance purposes. To handle this, create exceptions for known user accounts or processes that regularly perform these activities. +- Automated scripts or monitoring tools might invoke od on dynamic linker files as part of routine system checks. Identify these scripts and whitelist their execution paths to prevent unnecessary alerts. +- Security researchers or penetration testers could use od during authorized security assessments. Establish a process to temporarily disable the rule or add exceptions for the duration of the assessment to avoid false positives. +- Some software installations or updates might involve the use of od to verify linker integrity. Monitor installation logs and correlate with od usage to determine if the activity is benign, and consider adding exceptions for these specific scenarios. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement or further exploitation. +- Terminate any suspicious processes associated with the `od` utility that are targeting dynamic linker files to halt any ongoing reconnaissance or exploitation attempts. +- Conduct a thorough review of system logs and process execution history to identify any unauthorized access or modifications to the dynamic linker files. +- Restore any altered or compromised dynamic linker files from a known good backup to ensure system integrity. +- Implement stricter access controls and monitoring on critical system files, including dynamic linkers, to prevent unauthorized access and modifications. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected or if there is a broader threat campaign. +- Update detection and monitoring systems to enhance visibility and alerting for similar suspicious activities involving the `od` utility and critical system files.""" references = ["https://github.com/arget13/DDexec"] risk_score = 21 rule_id = "0369e8a6-0fa7-4e7a-961a-53180a4c966e" @@ -71,39 +109,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Dynamic Linker Discovery via od - -The dynamic linker in Linux environments is crucial for loading shared libraries needed by programs. Attackers may exploit the `od` utility to inspect these linkers, seeking vulnerabilities for code injection. The detection rule identifies suspicious use of `od` targeting specific linker files, flagging potential reconnaissance activities that could precede an exploit attempt. - -### Possible investigation steps - -- Review the process execution details to confirm the use of the 'od' utility, focusing on the process name and arguments to ensure they match the suspicious patterns identified in the query. -- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears anomalous. -- Check the system's process execution history for any other unusual or related activities around the same time, such as attempts to access or modify linker files. -- Analyze any network connections or data transfers initiated by the host around the time of the alert to identify potential data exfiltration or communication with known malicious IPs. -- Correlate this event with other security alerts or logs from the same host to identify patterns or sequences of actions that could indicate a broader attack campaign. - -### False positive analysis - -- System administrators or developers may use the od utility to inspect dynamic linker files for legitimate debugging or system maintenance purposes. To handle this, create exceptions for known user accounts or processes that regularly perform these activities. -- Automated scripts or monitoring tools might invoke od on dynamic linker files as part of routine system checks. Identify these scripts and whitelist their execution paths to prevent unnecessary alerts. -- Security researchers or penetration testers could use od during authorized security assessments. Establish a process to temporarily disable the rule or add exceptions for the duration of the assessment to avoid false positives. -- Some software installations or updates might involve the use of od to verify linker integrity. Monitor installation logs and correlate with od usage to determine if the activity is benign, and consider adding exceptions for these specific scenarios. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement or further exploitation. -- Terminate any suspicious processes associated with the `od` utility that are targeting dynamic linker files to halt any ongoing reconnaissance or exploitation attempts. -- Conduct a thorough review of system logs and process execution history to identify any unauthorized access or modifications to the dynamic linker files. -- Restore any altered or compromised dynamic linker files from a known good backup to ensure system integrity. -- Implement stricter access controls and monitoring on critical system files, including dynamic linkers, to prevent unauthorized access and modifications. -- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected or if there is a broader threat campaign. -- Update detection and monitoring systems to enhance visibility and alerting for similar suspicious activities involving the `od` utility and critical system files.""" [[rule.threat]] diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index eae69d1e367..aebf5e78d38 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,10 +13,50 @@ software, and their presence in the find command arguments may indicate that a t analyze, or manipulate VM-related files and configurations on the system. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating ESXI Discovery via Find + +VMware ESXi is a hypervisor used to deploy and manage virtual machines. Adversaries may exploit the 'find' command on Linux systems to locate VM-related files, potentially to gather information or manipulate configurations. The detection rule identifies suspicious 'find' command executions targeting VMware paths, excluding legitimate processes, to flag potential reconnaissance activities. + +### Possible investigation steps + +- Review the process execution details to confirm the 'find' command was executed with arguments targeting VMware paths such as "/etc/vmware/*", "/usr/lib/vmware/*", or "/vmfs/*". +- Check the parent process of the 'find' command to ensure it is not "/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh", which is excluded from the rule as a legitimate process. +- Investigate the user account associated with the 'find' command execution to determine if it is a known and authorized user for VMware management tasks. +- Examine recent login and access logs for the user account to identify any unusual or unauthorized access patterns. +- Correlate this event with other security alerts or logs to identify if there are additional signs of reconnaissance or unauthorized activity on the system. +- Assess the system's current state and configuration to ensure no unauthorized changes have been made to VMware-related files or settings. + +### False positive analysis + +- Legitimate administrative tasks may trigger the rule if system administrators use the 'find' command to audit or manage VMware-related files. To handle this, create exceptions for known administrative scripts or user accounts that regularly perform these tasks. +- Automated backup or monitoring scripts that scan VMware directories can also cause false positives. Identify these scripts and exclude their parent processes from the detection rule. +- Software updates or maintenance activities involving VMware components might execute the 'find' command in a non-threatening manner. Consider scheduling these activities during known maintenance windows and temporarily adjusting the rule to prevent unnecessary alerts. +- If the 'find' command is part of a legitimate software installation or uninstallation process, such as the VMware View Agent uninstallation, ensure these processes are whitelisted by adding their parent executable paths to the exception list. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious 'find' processes identified in the alert to halt potential reconnaissance activities. +- Conduct a thorough review of the system's recent command history and logs to identify any unauthorized access or changes made to VM-related files. +- Restore any altered or deleted VM-related files from a known good backup to ensure system integrity. +- Update and patch the VMware ESXi and related software to the latest versions to mitigate any known vulnerabilities. +- Implement stricter access controls and monitoring on VMware-related directories to prevent unauthorized access in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", ] @@ -63,56 +101,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "executed", "process_started") and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") and not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating ESXI Discovery via Find - -VMware ESXi is a hypervisor used to deploy and manage virtual machines. Adversaries may exploit the 'find' command on Linux systems to locate VM-related files, potentially to gather information or manipulate configurations. The detection rule identifies suspicious 'find' command executions targeting VMware paths, excluding legitimate processes, to flag potential reconnaissance activities. - -### Possible investigation steps - -- Review the process execution details to confirm the 'find' command was executed with arguments targeting VMware paths such as "/etc/vmware/*", "/usr/lib/vmware/*", or "/vmfs/*". -- Check the parent process of the 'find' command to ensure it is not "/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh", which is excluded from the rule as a legitimate process. -- Investigate the user account associated with the 'find' command execution to determine if it is a known and authorized user for VMware management tasks. -- Examine recent login and access logs for the user account to identify any unusual or unauthorized access patterns. -- Correlate this event with other security alerts or logs to identify if there are additional signs of reconnaissance or unauthorized activity on the system. -- Assess the system's current state and configuration to ensure no unauthorized changes have been made to VMware-related files or settings. - -### False positive analysis -- Legitimate administrative tasks may trigger the rule if system administrators use the 'find' command to audit or manage VMware-related files. To handle this, create exceptions for known administrative scripts or user accounts that regularly perform these tasks. -- Automated backup or monitoring scripts that scan VMware directories can also cause false positives. Identify these scripts and exclude their parent processes from the detection rule. -- Software updates or maintenance activities involving VMware components might execute the 'find' command in a non-threatening manner. Consider scheduling these activities during known maintenance windows and temporarily adjusting the rule to prevent unnecessary alerts. -- If the 'find' command is part of a legitimate software installation or uninstallation process, such as the VMware View Agent uninstallation, ensure these processes are whitelisted by adding their parent executable paths to the exception list. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious 'find' processes identified in the alert to halt potential reconnaissance activities. -- Conduct a thorough review of the system's recent command history and logs to identify any unauthorized access or changes made to VM-related files. -- Restore any altered or deleted VM-related files from a known good backup to ensure system integrity. -- Update and patch the VMware ESXi and related software to the latest versions to mitigate any known vulnerabilities. -- Implement stricter access controls and monitoring on VMware-related directories to prevent unauthorized access in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 063a4e64759..d15c6a2b9f5 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,10 +13,49 @@ related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "v may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating ESXI Discovery via Grep + +In Linux environments, tools like 'grep' are used to search through files for specific patterns. Adversaries may exploit these tools to locate and analyze virtual machine files, which are crucial for ESXi environments. The detection rule identifies suspicious use of 'grep' variants targeting VM file extensions, signaling potential reconnaissance or manipulation attempts by threat actors. This rule helps in early detection of such malicious activities by monitoring process execution patterns. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of 'grep', 'egrep', or 'pgrep' with arguments related to VM file extensions such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". +- Check the parent process of the suspicious 'grep' command to determine if it is a legitimate process or potentially malicious, ensuring it is not "/usr/share/qemu/init/qemu-kvm-init". +- Investigate the user account associated with the process execution to assess if the activity aligns with their typical behavior or if it appears anomalous. +- Examine recent system logs and other security alerts for additional indicators of compromise or related suspicious activities on the host. +- Assess the network activity from the host to identify any unusual connections or data exfiltration attempts that may correlate with the discovery activity. + +### False positive analysis + +- System administrators or automated scripts may use grep to search for VM-related files as part of routine maintenance or monitoring tasks. To handle this, create exceptions for known administrative scripts or processes by excluding specific parent processes or user accounts. +- Backup or snapshot management tools might invoke grep to verify the presence of VM files. Identify these tools and exclude their process names or paths from the detection rule to prevent false alerts. +- Developers or IT staff conducting legitimate audits or inventory checks on VM files may trigger this rule. Consider excluding specific user accounts or groups that are authorized to perform such activities. +- Security tools or monitoring solutions that perform regular checks on VM files could also cause false positives. Whitelist these tools by excluding their executable paths or process names from the rule. + +### Response and remediation + +- Isolate the affected Linux system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes identified by the detection rule, specifically those involving 'grep', 'egrep', or 'pgrep' with VM-related file extensions. +- Conduct a thorough review of the system's recent process execution history and file access logs to identify any unauthorized access or changes to VM files. +- Restore any compromised or altered VM files from a known good backup to ensure system integrity and continuity. +- Implement stricter access controls and permissions on VM-related files to limit exposure to unauthorized users or processes. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Update and enhance monitoring rules to detect similar patterns of suspicious activity, ensuring early detection of future threats.""" references = [ "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", ] @@ -63,6 +100,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "executed", "process_started") and @@ -70,49 +108,18 @@ process where host.os.type == "linux" and event.type == "start" and process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem") and not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating ESXI Discovery via Grep - -In Linux environments, tools like 'grep' are used to search through files for specific patterns. Adversaries may exploit these tools to locate and analyze virtual machine files, which are crucial for ESXi environments. The detection rule identifies suspicious use of 'grep' variants targeting VM file extensions, signaling potential reconnaissance or manipulation attempts by threat actors. This rule helps in early detection of such malicious activities by monitoring process execution patterns. - -### Possible investigation steps -- Review the process execution details to confirm the presence of 'grep', 'egrep', or 'pgrep' with arguments related to VM file extensions such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". -- Check the parent process of the suspicious 'grep' command to determine if it is a legitimate process or potentially malicious, ensuring it is not "/usr/share/qemu/init/qemu-kvm-init". -- Investigate the user account associated with the process execution to assess if the activity aligns with their typical behavior or if it appears anomalous. -- Examine recent system logs and other security alerts for additional indicators of compromise or related suspicious activities on the host. -- Assess the network activity from the host to identify any unusual connections or data exfiltration attempts that may correlate with the discovery activity. - -### False positive analysis - -- System administrators or automated scripts may use grep to search for VM-related files as part of routine maintenance or monitoring tasks. To handle this, create exceptions for known administrative scripts or processes by excluding specific parent processes or user accounts. -- Backup or snapshot management tools might invoke grep to verify the presence of VM files. Identify these tools and exclude their process names or paths from the detection rule to prevent false alerts. -- Developers or IT staff conducting legitimate audits or inventory checks on VM files may trigger this rule. Consider excluding specific user accounts or groups that are authorized to perform such activities. -- Security tools or monitoring solutions that perform regular checks on VM files could also cause false positives. Whitelist these tools by excluding their executable paths or process names from the rule. - -### Response and remediation - -- Isolate the affected Linux system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified by the detection rule, specifically those involving 'grep', 'egrep', or 'pgrep' with VM-related file extensions. -- Conduct a thorough review of the system's recent process execution history and file access logs to identify any unauthorized access or changes to VM files. -- Restore any compromised or altered VM files from a known good backup to ensure system integrity and continuity. -- Implement stricter access controls and permissions on VM-related files to limit exposure to unauthorized users or processes. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Update and enhance monitoring rules to detect similar patterns of suspicious activity, ensuring early detection of future threats.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index df98c5ebf3d..13cafc9195f 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,10 +17,52 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Hping Process Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Hping Process Activity + +Hping is a versatile command-line tool used for crafting and analyzing network packets, often employed in network security testing. Adversaries may exploit Hping to perform reconnaissance, such as scanning networks or probing firewalls, to gather system information. The detection rule identifies Hping's execution on Linux systems by monitoring specific process start events, helping to flag potential misuse indicative of discovery tactics. + +### Possible investigation steps + +- Review the process start event details to confirm the execution of Hping, focusing on the process.name field to ensure it matches "hping", "hping2", or "hping3". +- Identify the user account associated with the Hping process by examining the user context in the event data to determine if the activity aligns with expected behavior for that user. +- Analyze the command line arguments used with the Hping process to understand the intent of the execution, such as specific network targets or options that indicate scanning or probing activities. +- Check the timing and frequency of the Hping process execution to assess whether it aligns with routine network testing schedules or if it appears anomalous. +- Investigate the source and destination IP addresses involved in the Hping activity to identify potential targets and assess whether they are internal or external to the organization. +- Correlate the Hping activity with other security events or alerts from the same host or network segment to identify any related suspicious activities or patterns. +- Consult with the system owner or network security team to verify if the Hping activity was authorized as part of legitimate security testing or if it requires further investigation. + +### False positive analysis + +- Routine network testing by IT teams may trigger the rule when using Hping for legitimate purposes. To manage this, create exceptions for known IP addresses or user accounts involved in regular network audits. +- Automated scripts or cron jobs that utilize Hping for monitoring network performance can lead to false positives. Identify these scripts and exclude their execution paths or associated user accounts from the detection rule. +- Security training exercises or penetration testing activities might involve Hping usage. Coordinate with security teams to whitelist these activities by specifying time windows or specific user roles. +- Development or testing environments where Hping is used for application testing can cause alerts. Exclude these environments by filtering based on hostnames or network segments associated with non-production systems. + +### Response and remediation + +- Immediately isolate the affected Linux host from the network to prevent further reconnaissance or potential lateral movement by the adversary. +- Terminate any active Hping processes on the affected host to stop ongoing packet crafting or network probing activities. +- Conduct a thorough review of network logs and firewall configurations to identify any unauthorized access or anomalies that may have been exploited using Hping. +- Perform a comprehensive scan of the affected system for additional indicators of compromise, such as unauthorized user accounts or unexpected changes to system files. +- Reset credentials and review access permissions for accounts on the affected host to ensure no unauthorized access persists. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Update detection and monitoring systems to enhance visibility and alerting for similar reconnaissance activities, ensuring rapid response to future threats.""" references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 47 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" @@ -84,41 +124,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name in ("hping", "hping2", "hping3") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Hping Process Activity - -Hping is a versatile command-line tool used for crafting and analyzing network packets, often employed in network security testing. Adversaries may exploit Hping to perform reconnaissance, such as scanning networks or probing firewalls, to gather system information. The detection rule identifies Hping's execution on Linux systems by monitoring specific process start events, helping to flag potential misuse indicative of discovery tactics. - -### Possible investigation steps - -- Review the process start event details to confirm the execution of Hping, focusing on the process.name field to ensure it matches "hping", "hping2", or "hping3". -- Identify the user account associated with the Hping process by examining the user context in the event data to determine if the activity aligns with expected behavior for that user. -- Analyze the command line arguments used with the Hping process to understand the intent of the execution, such as specific network targets or options that indicate scanning or probing activities. -- Check the timing and frequency of the Hping process execution to assess whether it aligns with routine network testing schedules or if it appears anomalous. -- Investigate the source and destination IP addresses involved in the Hping activity to identify potential targets and assess whether they are internal or external to the organization. -- Correlate the Hping activity with other security events or alerts from the same host or network segment to identify any related suspicious activities or patterns. -- Consult with the system owner or network security team to verify if the Hping activity was authorized as part of legitimate security testing or if it requires further investigation. - -### False positive analysis - -- Routine network testing by IT teams may trigger the rule when using Hping for legitimate purposes. To manage this, create exceptions for known IP addresses or user accounts involved in regular network audits. -- Automated scripts or cron jobs that utilize Hping for monitoring network performance can lead to false positives. Identify these scripts and exclude their execution paths or associated user accounts from the detection rule. -- Security training exercises or penetration testing activities might involve Hping usage. Coordinate with security teams to whitelist these activities by specifying time windows or specific user roles. -- Development or testing environments where Hping is used for application testing can cause alerts. Exclude these environments by filtering based on hostnames or network segments associated with non-production systems. - -### Response and remediation - -- Immediately isolate the affected Linux host from the network to prevent further reconnaissance or potential lateral movement by the adversary. -- Terminate any active Hping processes on the affected host to stop ongoing packet crafting or network probing activities. -- Conduct a thorough review of network logs and firewall configurations to identify any unauthorized access or anomalies that may have been exploited using Hping. -- Perform a comprehensive scan of the affected system for additional indicators of compromise, such as unauthorized user accounts or unexpected changes to system files. -- Reset credentials and review access permissions for accounts on the affected host to ensure no unauthorized access persists. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Update detection and monitoring systems to enhance visibility and alerting for similar reconnaissance activities, ensuring rapid response to future threats.""" [[rule.threat]] diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 760afd3f369..0e020284684 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,10 +17,52 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Nping Process Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Nping Process Activity + +Nping, a component of the Nmap suite, is used for crafting raw packets, aiding in network diagnostics and security testing. Adversaries may exploit Nping to perform network reconnaissance or denial-of-service attacks by sending crafted packets to probe network services. The detection rule identifies Nping's execution on Linux systems by monitoring process start events, helping to flag potential misuse for malicious network discovery activities. + +### Possible investigation steps + +- Review the process start event details to confirm the execution of Nping, focusing on the process name field to ensure it matches "nping". +- Identify the user account associated with the Nping process execution to determine if it aligns with expected or authorized usage patterns. +- Examine the command line arguments used with Nping to understand the intent of the execution, such as specific network targets or packet types. +- Check the timing and frequency of the Nping execution to assess if it correlates with any known maintenance windows or unusual activity patterns. +- Investigate network logs or traffic data to identify any unusual or unauthorized network scanning or probing activities originating from the host where Nping was executed. +- Correlate the Nping activity with other security alerts or logs from the same host to identify potential indicators of compromise or broader attack patterns. + +### False positive analysis + +- Routine network diagnostics by IT teams using Nping for legitimate purposes can trigger alerts. To manage this, create exceptions for specific user accounts or IP addresses known to perform regular network testing. +- Automated scripts or monitoring tools that incorporate Nping for network health checks may cause false positives. Identify these scripts and whitelist their execution paths or associated processes. +- Security assessments or penetration tests conducted by authorized personnel might involve Nping usage. Coordinate with security teams to schedule these activities and temporarily adjust detection rules or add exceptions for the duration of the tests. +- Development or testing environments where Nping is used for application testing can generate alerts. Exclude these environments from monitoring or adjust the rule to ignore specific hostnames or network segments. +- Training sessions or workshops that include Nping demonstrations can lead to false positives. Notify the security team in advance and apply temporary exceptions for the event duration. + +### Response and remediation + +- Immediately isolate the affected Linux host from the network to prevent further reconnaissance or potential denial-of-service attacks. +- Terminate the Nping process on the affected host to stop any ongoing malicious activity. +- Conduct a thorough review of recent network traffic logs from the affected host to identify any unusual or unauthorized network service discovery attempts. +- Check for any unauthorized changes or installations on the affected host that may indicate further compromise or persistence mechanisms. +- Update and apply network security policies to restrict the use of network diagnostic tools like Nping to authorized personnel only. +- Escalate the incident to the security operations team for further investigation and to determine if the activity is part of a larger attack campaign. +- Enhance monitoring and alerting for similar activities across the network by ensuring that detection rules are in place for unauthorized use of network diagnostic tools.""" references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" @@ -84,41 +124,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "nping" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Nping Process Activity - -Nping, a component of the Nmap suite, is used for crafting raw packets, aiding in network diagnostics and security testing. Adversaries may exploit Nping to perform network reconnaissance or denial-of-service attacks by sending crafted packets to probe network services. The detection rule identifies Nping's execution on Linux systems by monitoring process start events, helping to flag potential misuse for malicious network discovery activities. - -### Possible investigation steps - -- Review the process start event details to confirm the execution of Nping, focusing on the process name field to ensure it matches "nping". -- Identify the user account associated with the Nping process execution to determine if it aligns with expected or authorized usage patterns. -- Examine the command line arguments used with Nping to understand the intent of the execution, such as specific network targets or packet types. -- Check the timing and frequency of the Nping execution to assess if it correlates with any known maintenance windows or unusual activity patterns. -- Investigate network logs or traffic data to identify any unusual or unauthorized network scanning or probing activities originating from the host where Nping was executed. -- Correlate the Nping activity with other security alerts or logs from the same host to identify potential indicators of compromise or broader attack patterns. - -### False positive analysis - -- Routine network diagnostics by IT teams using Nping for legitimate purposes can trigger alerts. To manage this, create exceptions for specific user accounts or IP addresses known to perform regular network testing. -- Automated scripts or monitoring tools that incorporate Nping for network health checks may cause false positives. Identify these scripts and whitelist their execution paths or associated processes. -- Security assessments or penetration tests conducted by authorized personnel might involve Nping usage. Coordinate with security teams to schedule these activities and temporarily adjust detection rules or add exceptions for the duration of the tests. -- Development or testing environments where Nping is used for application testing can generate alerts. Exclude these environments from monitoring or adjust the rule to ignore specific hostnames or network segments. -- Training sessions or workshops that include Nping demonstrations can lead to false positives. Notify the security team in advance and apply temporary exceptions for the event duration. - -### Response and remediation - -- Immediately isolate the affected Linux host from the network to prevent further reconnaissance or potential denial-of-service attacks. -- Terminate the Nping process on the affected host to stop any ongoing malicious activity. -- Conduct a thorough review of recent network traffic logs from the affected host to identify any unusual or unauthorized network service discovery attempts. -- Check for any unauthorized changes or installations on the affected host that may indicate further compromise or persistence mechanisms. -- Update and apply network security policies to restrict the use of network diagnostic tools like Nping to authorized personnel only. -- Escalate the incident to the security operations team for further investigation and to determine if the activity is part of a larger attack campaign. -- Enhance monitoring and alerting for similar activities across the network by ensuring that detection rules are in place for unauthorized use of network diagnostic tools.""" [[rule.threat]] diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index a14fb277651..694412a51eb 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,49 @@ This rule detects PAM version discovery activity on Linux systems. PAM version d attacker attempting to backdoor the authentication process through malicious PAM modules. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Pluggable Authentication Module (PAM) Version Discovery" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Pluggable Authentication Module (PAM) Version Discovery + +Pluggable Authentication Modules (PAM) provide a flexible mechanism for authenticating users on Linux systems. Adversaries may exploit PAM by discovering its version to identify vulnerabilities or backdoor the authentication process with malicious modules. The detection rule identifies suspicious processes querying PAM-related packages, indicating potential reconnaissance or tampering attempts, thus alerting security teams to possible threats. + +### Possible investigation steps + +- Review the process details to confirm the presence of suspicious activity, focusing on processes with names "dpkg", "dpkg-query", or "rpm" and their arguments "libpam-modules" or "pam". +- Check the user account associated with the process to determine if it is a legitimate user or potentially compromised. +- Investigate the parent process to understand the origin of the command execution and assess if it aligns with normal user behavior. +- Analyze recent login attempts and authentication logs to identify any unusual patterns or failed attempts that may indicate unauthorized access attempts. +- Correlate this activity with other alerts or logs from the same host to identify if there are additional indicators of compromise or related suspicious activities. + +### False positive analysis + +- Routine system updates or package management activities may trigger the rule when legitimate processes like dpkg or rpm query PAM-related packages. To manage this, consider creating exceptions for known maintenance windows or trusted administrative scripts. +- Automated configuration management tools, such as Ansible or Puppet, might execute commands that match the rule's criteria. Identify these tools and exclude their processes from triggering alerts by specifying their execution context. +- Security compliance checks or vulnerability assessments often involve querying system packages, including PAM. If these are regularly scheduled and verified, whitelist the associated processes to prevent unnecessary alerts. +- Developers or system administrators testing PAM configurations might inadvertently trigger the rule. Establish a protocol for notifying the security team of such activities in advance, allowing for temporary exceptions during testing periods. +- Custom scripts used for system monitoring or auditing may include commands that match the rule. Review these scripts and, if deemed safe, add them to an exclusion list to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified by the detection rule, specifically those involving 'dpkg', 'dpkg-query', or 'rpm' with arguments related to PAM. +- Conduct a thorough review of PAM configuration files and modules on the affected system to identify and remove any unauthorized or malicious modifications. +- Restore any compromised PAM modules from a known good backup to ensure the integrity of the authentication process. +- Monitor for any additional suspicious activity on the affected system and related systems, focusing on unusual authentication attempts or process executions. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for PAM-related activities across the network to detect similar threats in the future.""" references = [ "https://www.group-ib.com/blog/pluggable-authentication-module/", "https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/", @@ -64,6 +101,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name != null and @@ -73,76 +111,42 @@ process where host.os.type == "linux" and event.type == "start" and ) and not process.parent.name in ("dcservice", "inspectorssmplugin") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Pluggable Authentication Module (PAM) Version Discovery - -Pluggable Authentication Modules (PAM) provide a flexible mechanism for authenticating users on Linux systems. Adversaries may exploit PAM by discovering its version to identify vulnerabilities or backdoor the authentication process with malicious modules. The detection rule identifies suspicious processes querying PAM-related packages, indicating potential reconnaissance or tampering attempts, thus alerting security teams to possible threats. - -### Possible investigation steps - -- Review the process details to confirm the presence of suspicious activity, focusing on processes with names "dpkg", "dpkg-query", or "rpm" and their arguments "libpam-modules" or "pam". -- Check the user account associated with the process to determine if it is a legitimate user or potentially compromised. -- Investigate the parent process to understand the origin of the command execution and assess if it aligns with normal user behavior. -- Analyze recent login attempts and authentication logs to identify any unusual patterns or failed attempts that may indicate unauthorized access attempts. -- Correlate this activity with other alerts or logs from the same host to identify if there are additional indicators of compromise or related suspicious activities. - -### False positive analysis -- Routine system updates or package management activities may trigger the rule when legitimate processes like dpkg or rpm query PAM-related packages. To manage this, consider creating exceptions for known maintenance windows or trusted administrative scripts. -- Automated configuration management tools, such as Ansible or Puppet, might execute commands that match the rule's criteria. Identify these tools and exclude their processes from triggering alerts by specifying their execution context. -- Security compliance checks or vulnerability assessments often involve querying system packages, including PAM. If these are regularly scheduled and verified, whitelist the associated processes to prevent unnecessary alerts. -- Developers or system administrators testing PAM configurations might inadvertently trigger the rule. Establish a protocol for notifying the security team of such activities in advance, allowing for temporary exceptions during testing periods. -- Custom scripts used for system monitoring or auditing may include commands that match the rule. Review these scripts and, if deemed safe, add them to an exclusion list to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified by the detection rule, specifically those involving 'dpkg', 'dpkg-query', or 'rpm' with arguments related to PAM. -- Conduct a thorough review of PAM configuration files and modules on the affected system to identify and remove any unauthorized or malicious modifications. -- Restore any compromised PAM modules from a known good backup to ensure the integrity of the authentication process. -- Monitor for any additional suspicious activity on the affected system and related systems, focusing on unusual authentication attempts or process executions. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for PAM-related activities across the network to detect similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 0a2202d69cc..2f24ec30aef 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -2,21 +2,57 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects Polkit version discovery activity on Linux systems. Polkit version discovery can be an -indication of an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service. +This rule detects Polkit version discovery activity on Linux systems. Polkit version discovery can be an indication of +an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Polkit Version Discovery" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Polkit Version Discovery + +Polkit, a system service in Linux, manages system-wide privileges, enabling non-privileged processes to communicate with privileged ones. Adversaries may exploit Polkit by discovering its version to identify vulnerabilities or misconfigurations. The detection rule identifies suspicious activities by monitoring specific command executions related to Polkit version checks, signaling potential reconnaissance efforts by attackers. + +### Possible investigation steps + +- Review the process execution details to confirm the command used for Polkit version discovery, focusing on the process name and arguments such as "dnf", "rpm", "apt", or "pkaction". +- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. +- Investigate the host from which the command was executed to assess if it has a history of suspicious activities or if it is a high-value target. +- Correlate the event with other logs or alerts to identify if there are additional indicators of compromise or related reconnaissance activities. +- Evaluate the necessity and frequency of Polkit version checks in the environment to determine if this behavior is expected or anomalous. + +### False positive analysis + +- Routine system updates or package management activities may trigger the rule when administrators use package managers like dnf, rpm, or apt to check for updates or verify installed packages. To mitigate this, create exceptions for known administrative scripts or user accounts that regularly perform these actions. +- Automated system monitoring tools that check software versions for compliance or inventory purposes might also cause false positives. Identify these tools and exclude their processes from triggering the rule. +- Developers or system administrators testing Polkit configurations or updates might execute version checks as part of their workflow. Consider excluding specific user accounts or process paths associated with development and testing environments. +- Security audits or vulnerability assessments conducted by internal teams may involve version checks as part of their procedures. Coordinate with these teams to whitelist their activities during scheduled assessments. + +### Response and remediation + +- Isolate the affected system from the network to prevent potential lateral movement by the attacker. +- Terminate any suspicious processes identified in the alert, such as those involving the execution of Polkit version discovery commands. +- Conduct a thorough review of system logs and command history to identify any unauthorized access or further malicious activities. +- Apply any available security patches or updates to the Polkit service to address known vulnerabilities. +- Implement stricter access controls and monitoring on systems running Polkit to prevent unauthorized version checks and other reconnaissance activities. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Enhance detection capabilities by configuring alerts for similar reconnaissance activities across the network to ensure early detection of potential threats.""" risk_score = 21 rule_id = "ca3bcacc-9285-4452-a742-5dae77538f61" setup = """## Setup @@ -54,6 +90,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and ( @@ -63,49 +100,18 @@ event.action in ("exec", "exec_event", "start", "ProcessRollup2") and ( (process.name == "pkaction" and process.args == "--version") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Polkit Version Discovery - -Polkit, a system service in Linux, manages system-wide privileges, enabling non-privileged processes to communicate with privileged ones. Adversaries may exploit Polkit by discovering its version to identify vulnerabilities or misconfigurations. The detection rule identifies suspicious activities by monitoring specific command executions related to Polkit version checks, signaling potential reconnaissance efforts by attackers. - -### Possible investigation steps -- Review the process execution details to confirm the command used for Polkit version discovery, focusing on the process name and arguments such as "dnf", "rpm", "apt", or "pkaction". -- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. -- Investigate the host from which the command was executed to assess if it has a history of suspicious activities or if it is a high-value target. -- Correlate the event with other logs or alerts to identify if there are additional indicators of compromise or related reconnaissance activities. -- Evaluate the necessity and frequency of Polkit version checks in the environment to determine if this behavior is expected or anomalous. - -### False positive analysis - -- Routine system updates or package management activities may trigger the rule when administrators use package managers like dnf, rpm, or apt to check for updates or verify installed packages. To mitigate this, create exceptions for known administrative scripts or user accounts that regularly perform these actions. -- Automated system monitoring tools that check software versions for compliance or inventory purposes might also cause false positives. Identify these tools and exclude their processes from triggering the rule. -- Developers or system administrators testing Polkit configurations or updates might execute version checks as part of their workflow. Consider excluding specific user accounts or process paths associated with development and testing environments. -- Security audits or vulnerability assessments conducted by internal teams may involve version checks as part of their procedures. Coordinate with these teams to whitelist their activities during scheduled assessments. - -### Response and remediation - -- Isolate the affected system from the network to prevent potential lateral movement by the attacker. -- Terminate any suspicious processes identified in the alert, such as those involving the execution of Polkit version discovery commands. -- Conduct a thorough review of system logs and command history to identify any unauthorized access or further malicious activities. -- Apply any available security patches or updates to the Polkit service to address known vulnerabilities. -- Implement stricter access controls and monitoring on systems running Polkit to prevent unauthorized version checks and other reconnaissance activities. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Enhance detection capabilities by configuring alerts for similar reconnaissance activities across the network to ensure early detection of potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml index 015364f3148..5b0e0cc6d7b 100644 --- a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml @@ -2,27 +2,59 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/03/04" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule detects potential port scanning activity from a compromised host. Port scanning is a -common reconnaissance technique used by attackers to identify open ports and services on a target -system. A compromised host may exhibit port scanning behavior when an attacker is attempting to -map out the network topology, identify vulnerable services, or prepare for further exploitation. -This rule identifies potential port scanning activity by monitoring network connection attempts -from a single host to a large number of ports within a short time frame. ES|QL rules have limited -fields available in its alert documents. Make sure to review the original documents to aid in the -investigation of this alert. +This rule detects potential port scanning activity from a compromised host. Port scanning is a common reconnaissance +technique used by attackers to identify open ports and services on a target system. A compromised host may exhibit port +scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable services, or +prepare for further exploitation. This rule identifies potential port scanning activity by monitoring network connection +attempts from a single host to a large number of ports within a short time frame. ES|QL rules have limited fields +available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "Potential Port Scanning Activity from Compromised Host" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Port Scanning Activity from Compromised Host + +Port scanning is a reconnaissance method used by attackers to identify open ports and services on a network, often as a precursor to exploitation. In Linux environments, compromised hosts may perform rapid connection attempts to numerous ports, signaling potential scanning activity. The detection rule identifies such behavior by analyzing network logs for a high number of distinct port connections from a single host within a short timeframe, indicating possible malicious intent. + +### Possible investigation steps + +- Review the network logs to identify the specific host exhibiting the port scanning behavior by examining the destination.ip and process.executable fields. +- Analyze the @timestamp field to determine the exact time frame of the scanning activity and correlate it with any other suspicious activities or alerts from the same host. +- Investigate the process.executable field to understand which application or service initiated the connection attempts, and verify if it is a legitimate process or potentially malicious. +- Check the destination.port field to identify the range and types of ports targeted by the scanning activity, which may provide insights into the attacker's objectives or the services they are interested in. +- Assess the host's security posture by reviewing recent changes, installed software, and user activity to determine if the host has been compromised or if the scanning is part of legitimate network operations. +- Consult the original documents and logs for additional context and details that may not be captured in the alert to aid in a comprehensive investigation. + +### False positive analysis + +- Legitimate network scanning tools used by system administrators for network maintenance or security assessments can trigger this rule. To handle this, identify and whitelist the IP addresses or processes associated with these tools. +- Automated vulnerability scanners or monitoring systems that perform regular checks on network services may cause false positives. Exclude these systems by creating exceptions for their known IP addresses or process names. +- High-volume legitimate services that open multiple connections to different ports, such as load balancers or proxy servers, might be flagged. Review and exclude these services by specifying their IP addresses or process executables. +- Development or testing environments where frequent port scanning is part of routine operations can be mistakenly identified. Implement exceptions for these environments by excluding their specific network segments or host identifiers. +- Scheduled network discovery tasks that are part of IT operations can mimic port scanning behavior. Document and exclude these tasks by setting up time-based exceptions or identifying their unique process signatures. + +### Response and remediation + +- Isolate the compromised host from the network immediately to prevent further scanning and potential lateral movement. +- Terminate any suspicious processes identified by the process.executable field to halt ongoing malicious activities. +- Conduct a thorough review of the compromised host's system logs and network traffic to identify any unauthorized access or data exfiltration attempts. +- Patch and update all software and services on the compromised host to close any vulnerabilities that may have been exploited. +- Change all credentials associated with the compromised host and any potentially affected systems to prevent unauthorized access. +- Monitor the network for any further signs of scanning activity or other suspicious behavior from other hosts, indicating potential additional compromises. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +""" risk_score = 21 rule_id = "6b341d03-1d63-41ac-841a-2009c86959ca" setup = """## Setup @@ -57,29 +89,33 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.network-* -| keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id +| keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" -| stats cc = count(), port_count = count_distinct(destination.port), agent_count = count_distinct(agent.id) by process.executable, destination.ip +| stats cc = count(), port_count = count_distinct(destination.port), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.executable, destination.ip | where agent_count == 1 and port_count > 100 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index 356264921ae..d9d0f29ef75 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,49 @@ This rule detects private key searching activity on Linux systems. Searching for attacker attempting to escalate privileges or exfiltrate sensitive information. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Private Key Searching Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Private Key Searching Activity + +In Linux environments, private keys are crucial for secure communications and authentication. Adversaries may exploit this by searching for private keys to gain unauthorized access or escalate privileges. The detection rule identifies suspicious use of the 'find' command targeting key files in sensitive directories, signaling potential malicious intent. This proactive monitoring helps mitigate risks associated with unauthorized key access. + +### Possible investigation steps + +- Review the process details to confirm the 'find' command was executed with parameters targeting private key files, as indicated by the command line containing patterns like "*id_dsa*", "*id_rsa*", etc., and directories such as "/home/", "/etc/ssh", or "/root/". +- Identify the user account associated with the process to determine if the activity aligns with expected behavior for that user or if it suggests potential compromise. +- Check the process's parent process to understand the context in which the 'find' command was executed, which may provide insights into whether this was part of a legitimate script or an unauthorized action. +- Investigate any recent login activity or changes in user privileges for the account involved to assess if there has been any unauthorized access or privilege escalation. +- Examine system logs and other security alerts around the time of the event to identify any correlated suspicious activities or anomalies that might indicate a broader attack campaign. + +### False positive analysis + +- System administrators or automated scripts may use the 'find' command to locate private keys for legitimate maintenance tasks. To handle this, create exceptions for known administrative accounts or scripts that regularly perform these actions. +- Backup processes might search for private keys as part of routine data protection activities. Identify and exclude these processes by specifying their unique command-line patterns or process IDs. +- Security audits or compliance checks often involve scanning for private keys to ensure proper security measures are in place. Exclude these activities by recognizing the specific tools or scripts used during audits. +- Developers or DevOps teams may search for private keys during application deployment or configuration. Establish a list of trusted users or processes involved in these operations and exclude them from triggering alerts. +- Automated configuration management tools like Ansible or Puppet might search for keys as part of their operations. Identify these tools and exclude their specific command-line patterns to prevent false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes identified by the detection rule, particularly those involving the 'find' command searching for private keys. +- Conduct a thorough review of access logs and process execution history to identify any unauthorized access or privilege escalation attempts. +- Change all potentially compromised private keys and associated credentials, ensuring new keys are securely generated and stored. +- Implement stricter access controls and permissions on directories containing private keys to limit exposure to unauthorized users. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Enhance monitoring and alerting for similar activities by ensuring that detection rules are tuned to capture variations of the 'find' command targeting sensitive files.""" risk_score = 21 rule_id = "627374ab-7080-4e4d-8316-bef1122444af" setup = """## Setup @@ -46,58 +83,26 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name == "find" and process.command_line like ("*id_dsa*", "*id_rsa*", "*id_ed*", "*id_ecdsa*", "*id_xmss*", "*id_dh*") and process.command_line like ("*/home/*", "*/etc/ssh*", "*/root/*", "/") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Private Key Searching Activity - -In Linux environments, private keys are crucial for secure communications and authentication. Adversaries may exploit this by searching for private keys to gain unauthorized access or escalate privileges. The detection rule identifies suspicious use of the 'find' command targeting key files in sensitive directories, signaling potential malicious intent. This proactive monitoring helps mitigate risks associated with unauthorized key access. - -### Possible investigation steps - -- Review the process details to confirm the 'find' command was executed with parameters targeting private key files, as indicated by the command line containing patterns like "*id_dsa*", "*id_rsa*", etc., and directories such as "/home/", "/etc/ssh", or "/root/". -- Identify the user account associated with the process to determine if the activity aligns with expected behavior for that user or if it suggests potential compromise. -- Check the process's parent process to understand the context in which the 'find' command was executed, which may provide insights into whether this was part of a legitimate script or an unauthorized action. -- Investigate any recent login activity or changes in user privileges for the account involved to assess if there has been any unauthorized access or privilege escalation. -- Examine system logs and other security alerts around the time of the event to identify any correlated suspicious activities or anomalies that might indicate a broader attack campaign. - -### False positive analysis -- System administrators or automated scripts may use the 'find' command to locate private keys for legitimate maintenance tasks. To handle this, create exceptions for known administrative accounts or scripts that regularly perform these actions. -- Backup processes might search for private keys as part of routine data protection activities. Identify and exclude these processes by specifying their unique command-line patterns or process IDs. -- Security audits or compliance checks often involve scanning for private keys to ensure proper security measures are in place. Exclude these activities by recognizing the specific tools or scripts used during audits. -- Developers or DevOps teams may search for private keys during application deployment or configuration. Establish a list of trusted users or processes involved in these operations and exclude them from triggering alerts. -- Automated configuration management tools like Ansible or Puppet might search for keys as part of their operations. Identify these tools and exclude their specific command-line patterns to prevent false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified by the detection rule, particularly those involving the 'find' command searching for private keys. -- Conduct a thorough review of access logs and process execution history to identify any unauthorized access or privilege escalation attempts. -- Change all potentially compromised private keys and associated credentials, ensuring new keys are securely generated and stored. -- Implement stricter access controls and permissions on directories containing private keys to limit exposure to unauthorized users. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Enhance monitoring and alerting for similar activities by ensuring that detection rules are tuned to capture variations of the 'find' command targeting sensitive files.""" [[rule.threat]] framework = "MITRE ATT&CK" @@ -106,3 +111,4 @@ framework = "MITRE ATT&CK" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index e345c1f4c8a..b49aec9feda 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,50 @@ This rule detects sensitive security file access via common utilities on Linux s from sensitive files using common utilities to gather information about the system and its security configuration. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Security File Access via Common Utilities" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Security File Access via Common Utilities + +In Linux environments, common utilities like `cat`, `grep`, and `less` are essential for file manipulation and viewing. Adversaries exploit these tools to access sensitive security files, aiming to gather system and security configuration data. The detection rule identifies suspicious use of these utilities by monitoring process execution patterns and arguments, flagging attempts to access critical security files, thus helping to thwart potential reconnaissance activities. + +### Possible investigation steps + +- Review the process execution details to identify the specific utility used (e.g., cat, grep, less) and the exact file path accessed, as indicated by the process.name and process.args fields. +- Check the user account associated with the process execution to determine if the access was performed by a legitimate user or a potentially compromised account. +- Investigate the timing and frequency of the access attempt to assess whether it aligns with normal user behavior or indicates suspicious activity. +- Correlate the alert with other security events or logs from the same host to identify any preceding or subsequent suspicious activities, such as unauthorized logins or privilege escalation attempts. +- Examine the host's recent changes or updates to security configurations or user permissions that might explain the access attempt. +- If possible, contact the user or system owner to verify whether the access was intentional and authorized, providing additional context for the investigation. + +### False positive analysis + +- System administrators or automated scripts may frequently access security files for legitimate maintenance or configuration purposes. To handle this, create exceptions for known administrative accounts or specific scripts that regularly perform these actions. +- Security monitoring tools or compliance checks might trigger the rule when scanning security files. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts. +- Backup processes that involve copying or reading security files can be mistaken for suspicious activity. Exclude backup software processes or scheduled tasks that are known to perform these operations. +- Developers or DevOps personnel accessing configuration files for application deployment or troubleshooting might trigger the rule. Establish a list of trusted users or roles and exclude their access patterns from detection. +- Regular system updates or package management operations may involve accessing security-related files. Recognize these update processes and exclude them to avoid false positives during routine maintenance. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes identified by the detection rule to halt potential reconnaissance activities. +- Conduct a thorough review of the accessed files to determine if any sensitive information was exposed or altered. +- Change credentials and access tokens for any compromised accounts, especially those related to AWS, GCP, or Azure, to prevent unauthorized access. +- Implement stricter access controls and permissions on sensitive security files to limit exposure to only necessary users and processes. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on the broader network. +- Enhance monitoring and logging for similar activities to improve detection and response times for future incidents.""" risk_score = 21 rule_id = "7efca3ad-a348-43b2-b544-c93a78a0ef92" setup = """## Setup @@ -46,18 +84,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -71,41 +110,7 @@ process where host.os.type == "linux" and event.type == "start" and ) and not process.parent.name in ("wazuh-modulesd", "lynis") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Security File Access via Common Utilities - -In Linux environments, common utilities like `cat`, `grep`, and `less` are essential for file manipulation and viewing. Adversaries exploit these tools to access sensitive security files, aiming to gather system and security configuration data. The detection rule identifies suspicious use of these utilities by monitoring process execution patterns and arguments, flagging attempts to access critical security files, thus helping to thwart potential reconnaissance activities. - -### Possible investigation steps -- Review the process execution details to identify the specific utility used (e.g., cat, grep, less) and the exact file path accessed, as indicated by the process.name and process.args fields. -- Check the user account associated with the process execution to determine if the access was performed by a legitimate user or a potentially compromised account. -- Investigate the timing and frequency of the access attempt to assess whether it aligns with normal user behavior or indicates suspicious activity. -- Correlate the alert with other security events or logs from the same host to identify any preceding or subsequent suspicious activities, such as unauthorized logins or privilege escalation attempts. -- Examine the host's recent changes or updates to security configurations or user permissions that might explain the access attempt. -- If possible, contact the user or system owner to verify whether the access was intentional and authorized, providing additional context for the investigation. - -### False positive analysis - -- System administrators or automated scripts may frequently access security files for legitimate maintenance or configuration purposes. To handle this, create exceptions for known administrative accounts or specific scripts that regularly perform these actions. -- Security monitoring tools or compliance checks might trigger the rule when scanning security files. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts. -- Backup processes that involve copying or reading security files can be mistaken for suspicious activity. Exclude backup software processes or scheduled tasks that are known to perform these operations. -- Developers or DevOps personnel accessing configuration files for application deployment or troubleshooting might trigger the rule. Establish a list of trusted users or roles and exclude their access patterns from detection. -- Regular system updates or package management operations may involve accessing security-related files. Recognize these update processes and exclude them to avoid false positives during routine maintenance. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified by the detection rule to halt potential reconnaissance activities. -- Conduct a thorough review of the accessed files to determine if any sensitive information was exposed or altered. -- Change credentials and access tokens for any compromised accounts, especially those related to AWS, GCP, or Azure, to prevent unauthorized access. -- Implement stricter access controls and permissions on sensitive security files to limit exposure to only necessary users and processes. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on the broader network. -- Enhance monitoring and logging for similar activities to improve detection and response times for future incidents.""" [[rule.threat]] framework = "MITRE ATT&CK" @@ -114,3 +119,4 @@ framework = "MITRE ATT&CK" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml index 57a551f9534..1e13ae504e3 100644 --- a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml @@ -2,27 +2,58 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/03/04" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule detects potential subnet scanning activity from a compromised host. Subnet scanning is -a common reconnaissance technique used by attackers to identify live hosts within a network range. -A compromised host may exhibit subnet scanning behavior when an attacker is attempting to map out -the network topology, identify vulnerable hosts, or prepare for further exploitation. This rule -identifies potential subnet scanning activity by monitoring network connection attempts from a -single host to a large number of hosts within a short time frame. ES|QL rules have limited fields -available in its alert documents. Make sure to review the original documents to aid in the -investigation of this alert. +This rule detects potential subnet scanning activity from a compromised host. Subnet scanning is a common reconnaissance +technique used by attackers to identify live hosts within a network range. A compromised host may exhibit subnet +scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable hosts, or prepare +for further exploitation. This rule identifies potential subnet scanning activity by monitoring network connection +attempts from a single host to a large number of hosts within a short time frame. ES|QL rules have limited fields +available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "Potential Subnet Scanning Activity from Compromised Host" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Subnet Scanning Activity from Compromised Host + +Subnet scanning is a reconnaissance method used by attackers to map network topology and identify active hosts. Adversaries exploit compromised hosts to perform these scans, seeking vulnerabilities for further attacks. The detection rule identifies such activity by monitoring Linux hosts for numerous connection attempts to different IPs within a short period, indicating potential scanning behavior. This helps in early detection and mitigation of network threats. + +### Possible investigation steps + +- Review the process executable identified in the alert to determine if it is a known or legitimate application that should be making network connections. +- Examine the destination IP addresses to identify any patterns or known malicious IPs, and check if these IPs are part of the organization's network or external. +- Investigate the specific host (using the agent.id) to assess if there are any signs of compromise, such as unusual processes or unauthorized access. +- Correlate the event timestamp with other logs or alerts to identify any concurrent suspicious activities or anomalies on the host. +- Check for any recent changes or updates on the host that might explain the scanning behavior, such as new software installations or configuration changes. + +### False positive analysis + +- High-volume legitimate network monitoring tools may trigger the rule. Identify and exclude these tools by adding their process executables to an exception list. +- Automated backup systems that connect to multiple hosts within a short timeframe can be mistaken for scanning activity. Review and exclude these systems by their process executable or agent ID. +- Security software performing routine network health checks might generate false positives. Verify these activities and create exceptions based on the specific process executable involved. +- Internal IT scripts or administrative tasks that involve connecting to numerous hosts for maintenance purposes can trigger alerts. Document these tasks and exclude them by process executable or agent ID. +- Cloud-based services or applications that require frequent connections to various hosts for functionality may appear as scanning. Identify these services and exclude them by their process executable or agent ID. + +### Response and remediation + +- Isolate the compromised host immediately from the network to prevent further scanning and potential lateral movement by the attacker. +- Terminate any suspicious processes identified by the executable name in the alert to stop ongoing scanning activities. +- Conduct a thorough examination of the compromised host to identify and remove any malware or unauthorized access tools that may have been installed. +- Reset credentials and review access permissions for the compromised host to ensure no unauthorized access persists. +- Update and patch the compromised host and any other vulnerable systems identified during the investigation to close security gaps. +- Monitor network traffic closely for any signs of continued scanning or other suspicious activities from other hosts, indicating potential further compromise. +- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if additional hosts are affected. +""" risk_score = 21 rule_id = "860f2a03-a1cf-48d6-a674-c6d62ae608a1" setup = """## Setup @@ -57,29 +88,33 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.network-* -| keep @timestamp, host.os.type, event.type, event.action, process.executable, destination.ip, agent.id +| keep @timestamp, host.os.type, event.type, event.action, process.executable, destination.ip, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" -| stats cc = count(), dest_count = count_distinct(destination.ip), agent_count = count_distinct(agent.id) by process.executable +| stats cc = count(), dest_count = count_distinct(destination.ip), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.executable | where agent_count == 1 and dest_count > 250 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index fe6b11cc968..9c5015f5db1 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,48 @@ the invoking user. Attackers may execute this command to enumerate commands allo permissions, potentially allowing to escalate privileges to root. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Sudo Command Enumeration Detected + +The sudo command in Linux environments allows users to execute commands with elevated privileges, typically as the root user. Attackers may exploit this by using the `sudo -l` command to list permissible commands, potentially identifying paths to escalate privileges. The detection rule identifies this behavior by monitoring for the execution of `sudo -l` from common shell environments, flagging potential misuse for privilege escalation. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the `sudo -l` command, ensuring the process name is "sudo" and the arguments include "-l" with an argument count of 2. +- Identify the parent process of the `sudo` command to determine the shell environment used, checking if it matches any of the specified shells like "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", or "fish". +- Investigate the user account that executed the `sudo -l` command to assess if the activity aligns with their typical behavior or if it appears suspicious. +- Check for any recent changes in user permissions or sudoers configuration that might indicate unauthorized modifications. +- Correlate this event with other logs or alerts to identify any subsequent suspicious activities that might suggest privilege escalation attempts. + +### False positive analysis + +- System administrators frequently use the sudo -l command to verify their permissions. To reduce noise, consider excluding specific user accounts or groups known for legitimate use. +- Automated scripts or configuration management tools may execute sudo -l as part of routine checks. Identify these scripts and exclude their execution paths or parent processes from the rule. +- Some software installations or updates might invoke sudo -l to check permissions. Monitor and document these processes, then create exceptions for known benign software. +- Developers or testers might use sudo -l during debugging or testing phases. Coordinate with development teams to identify and exclude these activities when they are part of approved workflows. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the attacker. +- Review the sudoers file on the affected system to identify any unauthorized or suspicious entries that may have been added or modified, and revert any changes to their original state. +- Terminate any suspicious processes initiated by the user who executed the `sudo -l` command, especially if they are not part of normal operations. +- Reset the password of the user account involved in the alert to prevent further unauthorized access. +- Conduct a thorough review of system logs to identify any additional suspicious activity or commands executed by the user, and assess the scope of potential compromise. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. +- Implement additional monitoring and alerting for similar `sudo -l` command executions across the environment to enhance detection and response capabilities.""" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" setup = """## Setup @@ -59,55 +95,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name == "sudo" and process.args == "-l" and process.args_count == 2 and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not process.args == "dpkg" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Sudo Command Enumeration Detected - -The sudo command in Linux environments allows users to execute commands with elevated privileges, typically as the root user. Attackers may exploit this by using the `sudo -l` command to list permissible commands, potentially identifying paths to escalate privileges. The detection rule identifies this behavior by monitoring for the execution of `sudo -l` from common shell environments, flagging potential misuse for privilege escalation. - -### Possible investigation steps -- Review the process execution details to confirm the presence of the `sudo -l` command, ensuring the process name is "sudo" and the arguments include "-l" with an argument count of 2. -- Identify the parent process of the `sudo` command to determine the shell environment used, checking if it matches any of the specified shells like "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", or "fish". -- Investigate the user account that executed the `sudo -l` command to assess if the activity aligns with their typical behavior or if it appears suspicious. -- Check for any recent changes in user permissions or sudoers configuration that might indicate unauthorized modifications. -- Correlate this event with other logs or alerts to identify any subsequent suspicious activities that might suggest privilege escalation attempts. - -### False positive analysis - -- System administrators frequently use the sudo -l command to verify their permissions. To reduce noise, consider excluding specific user accounts or groups known for legitimate use. -- Automated scripts or configuration management tools may execute sudo -l as part of routine checks. Identify these scripts and exclude their execution paths or parent processes from the rule. -- Some software installations or updates might invoke sudo -l to check permissions. Monitor and document these processes, then create exceptions for known benign software. -- Developers or testers might use sudo -l during debugging or testing phases. Coordinate with development teams to identify and exclude these activities when they are part of approved workflows. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the attacker. -- Review the sudoers file on the affected system to identify any unauthorized or suspicious entries that may have been added or modified, and revert any changes to their original state. -- Terminate any suspicious processes initiated by the user who executed the `sudo -l` command, especially if they are not part of normal operations. -- Reset the password of the user account involved in the alert to prevent further unauthorized access. -- Conduct a thorough review of system logs to identify any additional suspicious activity or commands executed by the user, and assess the scope of potential compromise. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. -- Implement additional monitoring and alerting for similar `sudo -l` command executions across the environment to enhance detection and response capabilities.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_suspicious_memory_grep_activity.toml b/rules/linux/discovery_suspicious_memory_grep_activity.toml index e9520b48079..b54e11128bc 100644 --- a/rules/linux/discovery_suspicious_memory_grep_activity.toml +++ b/rules/linux/discovery_suspicious_memory_grep_activity.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,32 +12,15 @@ specific process, detailing the memory segments, permissions, and what files are read a process's memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Memory grep Activity" -references = ["https://github.com/arget13/DDexec"] -risk_score = 21 -rule_id = "d74d6506-427a-4790-b170-0c2a6ddac799" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]") -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,16 +56,41 @@ In Linux, the `/proc/*/maps` file reveals a process's memory layout, crucial for - Apply patches and updates to the operating system and applications to mitigate known vulnerabilities that could be exploited for similar attacks. - Implement stricter access controls and monitoring on sensitive files and directories, such as `/proc/*/maps`, to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +references = ["https://github.com/arget13/DDexec"] +risk_score = 21 +rule_id = "d74d6506-427a-4790-b170-0c2a6ddac799" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]") +''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml new file mode 100644 index 00000000000..aaaa526247c --- /dev/null +++ b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml @@ -0,0 +1,147 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, +tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, +or exploitation, and should be monitored closely within a container. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate tasks that require the use of + network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any + alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate + container activity. + """, +] +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Network Tool Launched Inside A Container" +references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] +risk_score = 21 +rule_id = "7290be75-2e10-49ec-b387-d4ed55b920ff" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Command and Control", + "Tactic: Reconnaissance", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and process.name in ( + "nc.traditional", "nc", "ncat", "netcat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", + "mitmproxy", "socat", "zmap", "masscan", "zgrab" +) +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Network Tool Launched Inside A Container + +Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries exploit network tools within containers for reconnaissance or lateral movement, leveraging utilities like `nc` or `nmap` to map networks or intercept traffic. The detection rule identifies these tools' execution by monitoring process starts and arguments, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Examine the process arguments to understand the specific command or options used, which may provide insight into the intent of the tool's execution. +- Check the container's creation and modification timestamps to determine if the container was recently deployed or altered, which could indicate suspicious activity. +- Investigate the user or service account associated with the process start event to assess if it aligns with expected behavior or if it might be compromised. +- Analyze network logs and traffic patterns from the container to identify any unusual outbound connections or data exfiltration attempts. +- Correlate the alert with other security events or logs from the same container or host to identify potential lateral movement or further malicious activity. + +### False positive analysis + +- Development and testing environments often use network tools for legitimate purposes such as debugging or network configuration. To manage this, create exceptions for containers identified as part of these environments by tagging them appropriately and excluding them from the rule. +- Automated scripts or orchestration tools may trigger network utilities for routine checks or maintenance tasks. Identify these scripts and whitelist their associated container IDs or process names to prevent false alerts. +- Some monitoring solutions deploy containers with built-in network tools for performance analysis. Verify the legitimacy of these containers and exclude them from the rule by using specific labels or container IDs. +- Containers used for educational or training purposes might intentionally run network tools. Ensure these containers are marked and excluded from detection by setting up rules based on their unique identifiers or labels. + +### Response and remediation + +- Immediately isolate the affected container to prevent further network reconnaissance or lateral movement. This can be done by restricting its network access or stopping the container entirely. +- Conduct a thorough review of the container's logs and process history to identify any unauthorized access or data exfiltration attempts. Focus on the execution of the flagged network utilities. +- Remove any unauthorized or suspicious network tools from the container to prevent further misuse. Ensure that only necessary and approved utilities are present. +- Patch and update the container image to address any vulnerabilities that may have been exploited. Rebuild and redeploy the container using the updated image. +- Implement network segmentation to limit the container's access to sensitive resources and reduce the potential impact of similar threats in the future. +- Enhance monitoring and alerting for the execution of network utilities within containers, ensuring that any future occurrences are detected promptly. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or containers have been compromised.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 92116188fab..732545b5d3b 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,35 +16,6 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Suspicious which Enumeration" -risk_score = 21 -rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start") and - process.name == "which" and process.args_count >= 10 and not ( - process.parent.name == "jem" or - process.parent.executable like ("/vz/root/*", "/var/lib/docker/*") or - process.args == "--tty-only" - ) - -/* potential tuning if rule would turn out to be noisy -and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and -process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") -*/ -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,16 +50,48 @@ The `which` command in Linux environments is typically used to locate the execut - Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised. - Implement enhanced monitoring and logging for the `which` command and similar enumeration tools to detect future misuse. - Review and update access controls and permissions to ensure that only authorized users have the ability to execute potentially sensitive commands and utilities.""" +risk_score = 21 +rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start") and + process.name == "which" and process.args_count >= 10 and not ( + process.parent.name == "jem" or + process.parent.executable like ("/vz/root/*", "/var/lib/docker/*") or + process.args == "--tty-only" + ) + +/* potential tuning if rule would turn out to be noisy +and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and +process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +*/ +''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index d0829ba736a..b43625cf4a5 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,48 @@ to search for YUM/DNF configurations and/or plugins with an enabled state. This attempting to establish persistence in a YUM or DNF plugin. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Yum/DNF Plugin Status Discovery" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Yum/DNF Plugin Status Discovery + +Yum and DNF are package managers for Linux, managing software installations and updates. They support plugins to extend functionality, which can be targeted by attackers to maintain persistence. Adversaries may use commands to identify active plugins, potentially altering them for malicious purposes. The detection rule identifies suspicious use of the `grep` command to search for plugin configurations, signaling possible reconnaissance or tampering attempts. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the `grep` command with arguments related to plugin configurations, such as `/etc/yum.conf` or `/etc/dnf/dnf.conf`, to verify the alert's accuracy. +- Examine the user account associated with the process execution to determine if it is a legitimate user or potentially compromised account. +- Check the system's command history for any preceding or subsequent commands executed by the same user to identify potential patterns or further suspicious activity. +- Investigate any recent changes to the plugin configuration files located in directories like `/etc/yum/pluginconf.d/` or `/etc/dnf/plugins/` to detect unauthorized modifications. +- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related malicious activity. + +### False positive analysis + +- System administrators or automated scripts may use the grep command to verify plugin configurations during routine maintenance. To handle this, create exceptions for known administrative scripts or user accounts that regularly perform these checks. +- Security audits or compliance checks might involve scanning for plugin configurations to ensure they are correctly set up. Exclude these activities by identifying and whitelisting the specific processes or tools used for such audits. +- Developers or IT staff might search for plugin configurations while troubleshooting or developing new features. Consider excluding processes initiated by trusted development environments or specific user groups involved in these activities. +- Monitoring tools that perform regular checks on system configurations could trigger this rule. Identify these tools and add them to an exclusion list to prevent false alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the attacker. +- Terminate any suspicious processes related to the `grep` command that are actively searching for YUM/DNF plugin configurations. +- Conduct a thorough review of the YUM and DNF plugin configuration files and directories for unauthorized changes or additions, specifically in the paths `/etc/yum.conf`, `/usr/lib/yum-plugins/*`, `/etc/yum/pluginconf.d/*`, `/usr/lib/python*/site-packages/dnf-plugins/*`, `/etc/dnf/plugins/*`, and `/etc/dnf/dnf.conf`. +- Restore any altered plugin configurations from a known good backup to ensure system integrity. +- Implement file integrity monitoring on the YUM and DNF configuration directories to detect future unauthorized changes. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised. +- Review and update access controls and permissions for users and processes interacting with YUM and DNF configurations to minimize the risk of unauthorized access.""" references = [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", "https://pwnshift.github.io/2020/10/01/persistence.html", @@ -69,39 +105,6 @@ process where host.os.type == "linux" and event.type == "start" and "/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*", "/etc/dnf/dnf.conf" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Yum/DNF Plugin Status Discovery - -Yum and DNF are package managers for Linux, managing software installations and updates. They support plugins to extend functionality, which can be targeted by attackers to maintain persistence. Adversaries may use commands to identify active plugins, potentially altering them for malicious purposes. The detection rule identifies suspicious use of the `grep` command to search for plugin configurations, signaling possible reconnaissance or tampering attempts. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the `grep` command with arguments related to plugin configurations, such as `/etc/yum.conf` or `/etc/dnf/dnf.conf`, to verify the alert's accuracy. -- Examine the user account associated with the process execution to determine if it is a legitimate user or potentially compromised account. -- Check the system's command history for any preceding or subsequent commands executed by the same user to identify potential patterns or further suspicious activity. -- Investigate any recent changes to the plugin configuration files located in directories like `/etc/yum/pluginconf.d/` or `/etc/dnf/plugins/` to detect unauthorized modifications. -- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related malicious activity. - -### False positive analysis - -- System administrators or automated scripts may use the grep command to verify plugin configurations during routine maintenance. To handle this, create exceptions for known administrative scripts or user accounts that regularly perform these checks. -- Security audits or compliance checks might involve scanning for plugin configurations to ensure they are correctly set up. Exclude these activities by identifying and whitelisting the specific processes or tools used for such audits. -- Developers or IT staff might search for plugin configurations while troubleshooting or developing new features. Consider excluding processes initiated by trusted development environments or specific user groups involved in these activities. -- Monitoring tools that perform regular checks on system configurations could trigger this rule. Identify these tools and add them to an exclusion list to prevent false alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the attacker. -- Terminate any suspicious processes related to the `grep` command that are actively searching for YUM/DNF plugin configurations. -- Conduct a thorough review of the YUM and DNF plugin configuration files and directories for unauthorized changes or additions, specifically in the paths `/etc/yum.conf`, `/usr/lib/yum-plugins/*`, `/etc/yum/pluginconf.d/*`, `/usr/lib/python*/site-packages/dnf-plugins/*`, `/etc/dnf/plugins/*`, and `/etc/dnf/dnf.conf`. -- Restore any altered plugin configurations from a known good backup to ensure system integrity. -- Implement file integrity monitoring on the YUM and DNF configuration directories to detect future unauthorized changes. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised. -- Review and update access controls and permissions for users and processes interacting with YUM and DNF configurations to minimize the risk of unauthorized access.""" [[rule.threat]] diff --git a/rules/linux/execution_container_management_binary_launched_inside_container.toml b/rules/linux/execution_container_management_binary_launched_inside_container.toml new file mode 100644 index 00000000000..0b005e34011 --- /dev/null +++ b/rules/linux/execution_container_management_binary_launched_inside_container.toml @@ -0,0 +1,117 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a container management binary is run from inside a container. These binaries are critical +components of many containerized environments, and their presence and execution in unauthorized containers could +indicate compromise or a misconfiguration. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate administrative tasks that require + the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is + important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity + or part of legitimate container activity. + """, +] +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "Container Management Utility Run Inside A Container" +risk_score = 21 +rule_id = "4b74d3b0-416e-4099-b432-677e1cd098cc" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and +process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Container Management Utility Run Inside A Container + +Container management utilities like Docker and Kubectl are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types. + +### Possible investigation steps + +- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands. +- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks. +- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility. +- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity. +- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise. + +### False positive analysis + +- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities. +- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only. +- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives. +- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods. +- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight. + +### Response and remediation + +- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network. +- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities. +- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts. +- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation. +- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited. +- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes. +- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index 75fb1e6c1b5..9378a392cbb 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -110,6 +108,7 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" + query = ''' sequence by host.id with maxspan=10s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and @@ -119,15 +118,17 @@ sequence by host.id with maxspan=10s not (process.name == "gs" and file.path like "/tmp/gs_*")] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index 2a9e3882054..9a89825b302 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -2,21 +2,24 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, -CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip -parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing -remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network -spoofing. This can result in arbitrary command execution when a print job is initiated. +CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the +foomatic-rip parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, +allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or +network spoofing. This can result in arbitrary command execution when a print job is initiated. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Cupsd or Foomatic-rip Shell Execution" @@ -113,6 +116,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name == "foomatic-rip" and @@ -125,15 +129,17 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index baff7f2d5ac..21393246708 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,7 +15,12 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co initiated. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from Foomatic-rip or Cupsd Parent" @@ -114,6 +117,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( @@ -141,15 +145,17 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( ) and not process.args like "gs*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml new file mode 100644 index 00000000000..04e8710762d --- /dev/null +++ b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml @@ -0,0 +1,128 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when chmod or chown are used to add the execute permission to a file inside a container. Modifying file +permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized +or malicious code inside the container. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "File Made Executable via Chmod Inside A Container" +risk_score = 21 +rule_id = "30d94e59-e5c7-4828-bc4f-f5809ad1ffe1" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and process.name in ("chmod", "chown") and +process.args in ("4755", "755", "000", "777", "444", "-x", "+x") +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File Made Executable via Chmod Inside A Container + +Containers provide isolated environments for running applications, often on Linux systems. The `chmod` command is used to change file permissions, including making files executable. Adversaries may exploit this by altering permissions to execute unauthorized scripts or binaries, potentially leading to malicious activity. The detection rule identifies such actions by monitoring for `chmod` usage that grants execute permissions, focusing on specific permission patterns, and excluding benign cases. This helps in identifying potential threats where attackers attempt to execute unauthorized code within containers. + +### Possible investigation steps + +- Examine the process arguments to determine the exact permissions that were set and identify the file that was made executable. +- Investigate the origin of the `chmod` command by reviewing the process tree to understand which parent process initiated it and whether it aligns with expected behavior. +- Check the user account or service account that executed the `chmod` command to assess if it has legitimate access and reason to modify file permissions. +- Analyze the file that was made executable to determine its contents and origin, checking for any signs of unauthorized or malicious code. +- Correlate this event with other logs or alerts from the same container to identify any patterns or additional suspicious activities that might indicate a broader attack. + +### False positive analysis + +- Routine maintenance scripts or automated processes may use chmod to set execute permissions on files within containers. To handle these, identify and whitelist specific scripts or processes that are known to be safe and necessary for operations. +- Development environments often involve frequent changes to file permissions as developers test and deploy code. Consider excluding specific container IDs or paths associated with development environments to reduce noise. +- Some container orchestration tools might use chmod as part of their normal operation. Review the processes and arguments associated with these tools and create exceptions for known benign activities. +- System updates or package installations within containers might trigger this rule. Monitor and document regular update schedules and processes, and exclude these from triggering alerts if they are verified as non-threatening. +- If certain users or roles are responsible for legitimate permission changes, consider excluding their activities by user ID or role, ensuring that these exclusions are well-documented and reviewed regularly. + +### Response and remediation + +- Immediately isolate the affected container to prevent further execution of unauthorized code. This can be done by stopping the container or disconnecting it from the network. +- Conduct a thorough review of the container's file system to identify any unauthorized or suspicious files that have been made executable. Remove or quarantine these files as necessary. +- Analyze the container's logs to trace the source of the `chmod` command and determine if there are any other indicators of compromise or related malicious activities. +- If the unauthorized execution is confirmed, assess the potential impact on the host system and other containers. Implement additional security measures, such as enhanced monitoring or network segmentation, to protect other assets. +- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. +- Review and update container security policies to prevent unauthorized permission changes, such as implementing stricter access controls and using security tools that enforce policy compliance. +- Enhance detection capabilities by configuring alerts for similar suspicious activities, ensuring that any future attempts to modify file permissions within containers are promptly identified and addressed.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 6f29f3951b8..ba6fb226b66 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,7 +19,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "logs-endpoint.events.network*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "File Transfer or Listener Established via Netcat" diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index 1d9edd02b53..a163537237f 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,48 @@ simple reverse shell to a fully interactive tty after obtaining initial access t stable connection. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Upgrade of Non-interactive Shell" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Upgrade of Non-interactive Shell + +In Linux environments, attackers often seek to enhance a basic reverse shell to a fully interactive shell to gain a more robust foothold. This involves using tools like `stty` or `script` to manipulate terminal settings, enabling features like command history and job control. The detection rule identifies such activities by monitoring specific process executions and arguments, flagging potential misuse indicative of an upgrade attempt. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of `stty` or `script` commands with the specific arguments outlined in the detection rule, such as `stty raw -echo` or `script -qc /dev/null`. +- Examine the parent process of the flagged `stty` or `script` command to determine how the shell was initially spawned and identify any potentially malicious scripts or binaries. +- Check the user account associated with the process execution to assess if it aligns with expected user behavior or if it indicates potential compromise. +- Investigate the network connections associated with the host at the time of the alert to identify any suspicious remote connections that could be indicative of a reverse shell. +- Review historical process execution and login records for the user and host to identify any patterns of suspicious activity or previous attempts to establish a reverse shell. + +### False positive analysis + +- System administrators or legitimate users may use stty or script commands for routine maintenance or troubleshooting, which can trigger the rule. To manage this, create exceptions for known user accounts or specific maintenance windows. +- Automated scripts or cron jobs that utilize stty or script for legitimate purposes might be flagged. Review these scripts and whitelist them by process hash or command line pattern to prevent false positives. +- Development environments where developers frequently use stty or script for testing purposes can generate alerts. Consider excluding specific development machines or user groups from the rule to reduce noise. +- Monitoring tools or security solutions that simulate shell upgrades for testing or auditing purposes may inadvertently trigger the rule. Identify these tools and add them to an exception list based on their process name or execution path. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement by the attacker. +- Terminate any suspicious processes identified by the detection rule, specifically those involving `stty` or `script` with the flagged arguments, to disrupt the attacker's attempt to upgrade the shell. +- Conduct a thorough review of the affected system's logs and process history to identify any additional malicious activities or compromised accounts. +- Reset credentials for any user accounts that were active during the time of the alert to prevent unauthorized access using potentially compromised credentials. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited by the attacker. +- Enhance monitoring and logging on the affected host and similar systems to detect any future attempts to upgrade non-interactive shells or other suspicious activities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" risk_score = 47 rule_id = "84d1f8db-207f-45ab-a578-921d91c23eb2" setup = """## Setup @@ -69,39 +105,6 @@ process where host.os.type == "linux" and event.type == "start" and process.args_count == 4) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Upgrade of Non-interactive Shell - -In Linux environments, attackers often seek to enhance a basic reverse shell to a fully interactive shell to gain a more robust foothold. This involves using tools like `stty` or `script` to manipulate terminal settings, enabling features like command history and job control. The detection rule identifies such activities by monitoring specific process executions and arguments, flagging potential misuse indicative of an upgrade attempt. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of `stty` or `script` commands with the specific arguments outlined in the detection rule, such as `stty raw -echo` or `script -qc /dev/null`. -- Examine the parent process of the flagged `stty` or `script` command to determine how the shell was initially spawned and identify any potentially malicious scripts or binaries. -- Check the user account associated with the process execution to assess if it aligns with expected user behavior or if it indicates potential compromise. -- Investigate the network connections associated with the host at the time of the alert to identify any suspicious remote connections that could be indicative of a reverse shell. -- Review historical process execution and login records for the user and host to identify any patterns of suspicious activity or previous attempts to establish a reverse shell. - -### False positive analysis - -- System administrators or legitimate users may use stty or script commands for routine maintenance or troubleshooting, which can trigger the rule. To manage this, create exceptions for known user accounts or specific maintenance windows. -- Automated scripts or cron jobs that utilize stty or script for legitimate purposes might be flagged. Review these scripts and whitelist them by process hash or command line pattern to prevent false positives. -- Development environments where developers frequently use stty or script for testing purposes can generate alerts. Consider excluding specific development machines or user groups from the rule to reduce noise. -- Monitoring tools or security solutions that simulate shell upgrades for testing or auditing purposes may inadvertently trigger the rule. Identify these tools and add them to an exception list based on their process name or execution path. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement by the attacker. -- Terminate any suspicious processes identified by the detection rule, specifically those involving `stty` or `script` with the flagged arguments, to disrupt the attacker's attempt to upgrade the shell. -- Conduct a thorough review of the affected system's logs and process history to identify any additional malicious activities or compromised accounts. -- Reset credentials for any user accounts that were active during the time of the alert to prevent unauthorized access using potentially compromised credentials. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited by the attacker. -- Enhance monitoring and logging on the affected host and similar systems to detect any future attempts to upgrade non-interactive shells or other suspicious activities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" [[rule.threat]] diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index d30212828a0..821967f8801 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,10 +19,49 @@ false_positives = [ """, ] from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Netcat Listener Established via rlwrap" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Netcat Listener Established via rlwrap + +Netcat, a versatile networking tool, can establish connections for data transfer or remote shell access. When combined with rlwrap, which enhances command-line input, it can create a more stable reverse shell environment. Adversaries exploit this to maintain persistent access. The detection rule identifies such misuse by monitoring rlwrap's execution with netcat-related arguments, signaling potential unauthorized activity. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of rlwrap with netcat-related arguments by examining the process.name and process.args fields. +- Check the process start time and correlate it with any known scheduled tasks or user activity to determine if the execution was expected or authorized. +- Investigate the source IP address and port used in the netcat connection to identify potential external connections or data exfiltration attempts. +- Analyze the user account associated with the process execution to verify if the account has a history of similar activities or if it has been compromised. +- Examine any related network traffic logs to identify unusual patterns or connections that coincide with the alert, focusing on the host where the process was executed. +- Look for any additional processes spawned by the netcat listener to detect further malicious activity or persistence mechanisms. + +### False positive analysis + +- Development and testing environments may frequently use rlwrap with netcat for legitimate purposes, such as testing network applications or scripts. To manage this, create exceptions for specific user accounts or IP addresses known to be involved in development activities. +- System administrators might use rlwrap with netcat for troubleshooting or network diagnostics. Identify and exclude these activities by setting up rules that recognize the specific command patterns or user roles associated with administrative tasks. +- Automated scripts or cron jobs that utilize rlwrap and netcat for routine maintenance or monitoring can trigger false positives. Review and whitelist these scripts by their unique process identifiers or command structures to prevent unnecessary alerts. +- Educational or training environments where rlwrap and netcat are used for learning purposes can generate alerts. Implement exceptions based on the environment's network segment or user group to reduce noise from these benign activities. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration. +- Terminate the rlwrap and netcat processes on the affected host to disrupt the reverse shell connection. +- Conduct a forensic analysis of the affected system to identify any additional malicious activities or persistence mechanisms. +- Review and secure any compromised accounts or credentials that may have been used or accessed during the incident. +- Apply security patches and updates to the affected system to mitigate any exploited vulnerabilities. +- Enhance monitoring and logging on the affected host and network to detect similar activities in the future. +- Report the incident to the appropriate internal security team or external authorities if required, following organizational protocols.""" risk_score = 21 rule_id = "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5" setup = """## Setup @@ -74,40 +111,6 @@ process where host.os.type == "linux" and event.type == "start" and process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and process.args : "*l*" and process.args_count >= 4 ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Netcat Listener Established via rlwrap - -Netcat, a versatile networking tool, can establish connections for data transfer or remote shell access. When combined with rlwrap, which enhances command-line input, it can create a more stable reverse shell environment. Adversaries exploit this to maintain persistent access. The detection rule identifies such misuse by monitoring rlwrap's execution with netcat-related arguments, signaling potential unauthorized activity. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of rlwrap with netcat-related arguments by examining the process.name and process.args fields. -- Check the process start time and correlate it with any known scheduled tasks or user activity to determine if the execution was expected or authorized. -- Investigate the source IP address and port used in the netcat connection to identify potential external connections or data exfiltration attempts. -- Analyze the user account associated with the process execution to verify if the account has a history of similar activities or if it has been compromised. -- Examine any related network traffic logs to identify unusual patterns or connections that coincide with the alert, focusing on the host where the process was executed. -- Look for any additional processes spawned by the netcat listener to detect further malicious activity or persistence mechanisms. - -### False positive analysis - -- Development and testing environments may frequently use rlwrap with netcat for legitimate purposes, such as testing network applications or scripts. To manage this, create exceptions for specific user accounts or IP addresses known to be involved in development activities. -- System administrators might use rlwrap with netcat for troubleshooting or network diagnostics. Identify and exclude these activities by setting up rules that recognize the specific command patterns or user roles associated with administrative tasks. -- Automated scripts or cron jobs that utilize rlwrap and netcat for routine maintenance or monitoring can trigger false positives. Review and whitelist these scripts by their unique process identifiers or command structures to prevent unnecessary alerts. -- Educational or training environments where rlwrap and netcat are used for learning purposes can generate alerts. Implement exceptions based on the environment's network segment or user group to reduce noise from these benign activities. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration. -- Terminate the rlwrap and netcat processes on the affected host to disrupt the reverse shell connection. -- Conduct a forensic analysis of the affected system to identify any additional malicious activities or persistence mechanisms. -- Review and secure any compromised accounts or credentials that may have been used or accessed during the incident. -- Apply security patches and updates to the affected system to mitigate any exploited vulnerabilities. -- Enhance monitoring and logging on the affected host and network to detect similar activities in the future. -- Report the incident to the appropriate internal security team or external authorities if required, following organizational protocols.""" [[rule.threat]] diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 639aac82354..c3d550b7b8b 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,52 @@ this rule should be investigated further, as hack tools are commonly used by blu well. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Linux Hack Tool Launched" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Linux Hack Tool Launched + +Linux environments often utilize various tools for system administration and security testing. While these tools serve legitimate purposes, adversaries can exploit them for malicious activities, such as unauthorized access or data exfiltration. The detection rule identifies suspicious process executions linked to known hacking tools, flagging potential misuse by monitoring specific process names and actions indicative of exploitation attempts. + +### Possible investigation steps + +- Review the process name that triggered the alert to determine if it matches any known hacking tools listed in the query, such as "crackmapexec" or "sqlmap". +- Check the user account associated with the process execution to assess if it is a legitimate user or potentially compromised. +- Investigate the source and destination IP addresses involved in the process execution to identify any unusual or unauthorized network activity. +- Examine the command line arguments used during the process execution to understand the intent and scope of the activity. +- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities. +- Verify if the process execution aligns with any scheduled tasks or known administrative activities to rule out false positives. + +### False positive analysis + +- System administrators and security teams often use tools like "john", "hashcat", and "hydra" for legitimate security testing and password recovery. To reduce false positives, create exceptions for these tools when used by authorized personnel or during scheduled security assessments. +- Blue team exercises may involve the use of exploitation frameworks such as "msfconsole" and "msfvenom". Implement a process to whitelist these activities when they are part of a sanctioned security drill. +- Network scanning tools like "zenmap" and "nuclei" are frequently used for network mapping and vulnerability assessments. Establish a baseline of normal usage patterns and exclude these from alerts when they match expected behavior. +- Web enumeration tools such as "gobuster" and "dirbuster" might be used by web developers for testing purposes. Coordinate with development teams to identify legitimate use cases and exclude these from triggering alerts. +- Regularly review and update the list of excluded processes to ensure that only non-threatening activities are exempted, maintaining a balance between security and operational efficiency. + +### Response and remediation + +- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes identified by the alert, such as those listed in the detection query, to halt potential malicious activities. +- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or lateral movement attempts. +- Restore the affected system from a known good backup if any unauthorized changes or data exfiltration are confirmed. +- Update and patch all software and applications on the affected host to mitigate vulnerabilities that could be exploited by the identified tools. +- Implement stricter access controls and monitoring on the affected host to prevent unauthorized execution of potentially malicious tools in the future. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.""" risk_score = 47 rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da" setup = """## Setup @@ -61,6 +101,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and @@ -82,41 +123,7 @@ process.name in~ ( "linux-exploit-suggester-2.pl", "linux-exploit-suggester.sh", "panix.sh" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Linux Hack Tool Launched - -Linux environments often utilize various tools for system administration and security testing. While these tools serve legitimate purposes, adversaries can exploit them for malicious activities, such as unauthorized access or data exfiltration. The detection rule identifies suspicious process executions linked to known hacking tools, flagging potential misuse by monitoring specific process names and actions indicative of exploitation attempts. - -### Possible investigation steps - -- Review the process name that triggered the alert to determine if it matches any known hacking tools listed in the query, such as "crackmapexec" or "sqlmap". -- Check the user account associated with the process execution to assess if it is a legitimate user or potentially compromised. -- Investigate the source and destination IP addresses involved in the process execution to identify any unusual or unauthorized network activity. -- Examine the command line arguments used during the process execution to understand the intent and scope of the activity. -- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities. -- Verify if the process execution aligns with any scheduled tasks or known administrative activities to rule out false positives. -### False positive analysis - -- System administrators and security teams often use tools like "john", "hashcat", and "hydra" for legitimate security testing and password recovery. To reduce false positives, create exceptions for these tools when used by authorized personnel or during scheduled security assessments. -- Blue team exercises may involve the use of exploitation frameworks such as "msfconsole" and "msfvenom". Implement a process to whitelist these activities when they are part of a sanctioned security drill. -- Network scanning tools like "zenmap" and "nuclei" are frequently used for network mapping and vulnerability assessments. Establish a baseline of normal usage patterns and exclude these from alerts when they match expected behavior. -- Web enumeration tools such as "gobuster" and "dirbuster" might be used by web developers for testing purposes. Coordinate with development teams to identify legitimate use cases and exclude these from triggering alerts. -- Regularly review and update the list of excluded processes to ensure that only non-threatening activities are exempted, maintaining a balance between security and operational efficiency. - -### Response and remediation - -- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified by the alert, such as those listed in the detection query, to halt potential malicious activities. -- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or lateral movement attempts. -- Restore the affected system from a known good backup if any unauthorized changes or data exfiltration are confirmed. -- Update and patch all software and applications on the affected host to mitigate vulnerabilities that could be exploited by the identified tools. -- Implement stricter access controls and monitoring on the affected host to prevent unauthorized execution of potentially malicious tools in the future. -- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.""" [[rule.threat]] framework = "MITRE ATT&CK" @@ -125,3 +132,4 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml index e1a637a857b..f1e7ef3bd9e 100644 --- a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml +++ b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml @@ -2,18 +2,21 @@ creation_date = "2025/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/29" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule identifies processes that are backgrounded by an unusual parent process. This behavior may indicate -a process attempting to evade detection by hiding its parent process. +This rule identifies processes that are backgrounded by an unusual parent process. This behavior may indicate a process +attempting to evade detection by hiding its parent process. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", +] language = "kuery" license = "Elastic License v2" name = "Process Backgrounded by Unusual Parent" @@ -105,6 +108,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:(ProcessRollup2 or exec or exec_event or start) and @@ -112,36 +116,37 @@ process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and process.args:(-c and *&) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 840ce3b7edb..959180badda 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Interactive Terminal Spawned via Python + +Python's ability to spawn interactive terminals is a powerful feature often used for legitimate administrative tasks. However, adversaries can exploit this to escalate a basic reverse shell into a fully interactive terminal, enhancing their control over a compromised system. The detection rule identifies such abuse by monitoring processes where Python spawns a shell, focusing on specific patterns in process arguments and parent-child process relationships, indicating potential malicious activity. + +### Possible investigation steps + +- Review the process tree to understand the parent-child relationship, focusing on the parent process named "python*" and the child process that is a shell (e.g., bash, sh, zsh). +- Examine the command-line arguments of the parent Python process to identify the use of "pty.spawn" and the presence of the "-c" flag, which may indicate an attempt to spawn an interactive terminal. +- Check the process start event details, including the timestamp and user context, to determine if the activity aligns with expected administrative tasks or if it appears suspicious. +- Investigate the source IP address and user account associated with the process to assess if they are known and authorized entities within the network. +- Look for any related alerts or logs that might indicate prior suspicious activity, such as initial access vectors or other execution attempts, to build a timeline of events. +- Correlate this activity with any recent changes or incidents reported on the host to determine if this is part of a larger attack or an isolated event. + +### False positive analysis + +- Administrative scripts or automation tools that use Python to manage system processes may trigger this rule. To handle this, identify and whitelist specific scripts or tools that are known to perform legitimate tasks. +- Developers or system administrators using Python for interactive debugging or system management might inadvertently match the rule's criteria. Consider excluding processes initiated by trusted user accounts or within specific directories associated with development or administration. +- Scheduled tasks or cron jobs that utilize Python to execute shell commands could be mistaken for malicious activity. Review and exclude these tasks by specifying their unique process arguments or parent-child process relationships. +- Security tools or monitoring solutions that leverage Python for executing shell commands as part of their normal operation may also trigger this rule. Identify these tools and create exceptions based on their process signatures or execution context. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious Python processes identified in the alert, especially those spawning shell processes, to disrupt the attacker's control. +- Conduct a thorough review of the affected system for any additional signs of compromise, such as unauthorized user accounts, scheduled tasks, or modified system files. +- Reset credentials for any accounts accessed from the compromised host to prevent further unauthorized access. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Enhance monitoring and logging on the affected host and network to detect any similar activities in the future, focusing on process creation and network connections. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" setup = """## Setup @@ -67,40 +99,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action "fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Interactive Terminal Spawned via Python - -Python's ability to spawn interactive terminals is a powerful feature often used for legitimate administrative tasks. However, adversaries can exploit this to escalate a basic reverse shell into a fully interactive terminal, enhancing their control over a compromised system. The detection rule identifies such abuse by monitoring processes where Python spawns a shell, focusing on specific patterns in process arguments and parent-child process relationships, indicating potential malicious activity. - -### Possible investigation steps - -- Review the process tree to understand the parent-child relationship, focusing on the parent process named "python*" and the child process that is a shell (e.g., bash, sh, zsh). -- Examine the command-line arguments of the parent Python process to identify the use of "pty.spawn" and the presence of the "-c" flag, which may indicate an attempt to spawn an interactive terminal. -- Check the process start event details, including the timestamp and user context, to determine if the activity aligns with expected administrative tasks or if it appears suspicious. -- Investigate the source IP address and user account associated with the process to assess if they are known and authorized entities within the network. -- Look for any related alerts or logs that might indicate prior suspicious activity, such as initial access vectors or other execution attempts, to build a timeline of events. -- Correlate this activity with any recent changes or incidents reported on the host to determine if this is part of a larger attack or an isolated event. - -### False positive analysis - -- Administrative scripts or automation tools that use Python to manage system processes may trigger this rule. To handle this, identify and whitelist specific scripts or tools that are known to perform legitimate tasks. -- Developers or system administrators using Python for interactive debugging or system management might inadvertently match the rule's criteria. Consider excluding processes initiated by trusted user accounts or within specific directories associated with development or administration. -- Scheduled tasks or cron jobs that utilize Python to execute shell commands could be mistaken for malicious activity. Review and exclude these tasks by specifying their unique process arguments or parent-child process relationships. -- Security tools or monitoring solutions that leverage Python for executing shell commands as part of their normal operation may also trigger this rule. Identify these tools and create exceptions based on their process signatures or execution context. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious Python processes identified in the alert, especially those spawning shell processes, to disrupt the attacker's control. -- Conduct a thorough review of the affected system for any additional signs of compromise, such as unauthorized user accounts, scheduled tasks, or modified system files. -- Reset credentials for any accounts accessed from the compromised host to prevent further unauthorized access. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Enhance monitoring and logging on the affected host and network to detect any similar activities in the future, focusing on process creation and network connections. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/execution_python_webserver_spawned.toml b/rules/linux/execution_python_webserver_spawned.toml index a5c56cdcd63..a045f2f860e 100644 --- a/rules/linux/execution_python_webserver_spawned.toml +++ b/rules/linux/execution_python_webserver_spawned.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,50 @@ This rule identifies when a web server is spawned via Python. Attackers may use exfiltrate/infiltrate data or to move laterally within a network. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Web Server Spawned via Python" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Web Server Spawned via Python + +Python's built-in HTTP server module allows quick web server deployment, often used for testing or file sharing. Adversaries exploit this to exfiltrate data or facilitate lateral movement within networks. The detection rule identifies processes starting a Python-based server, focusing on command patterns and shell usage, to flag potential misuse on Linux systems. + +### Possible investigation steps + +- Review the process details to confirm the presence of a Python-based web server by checking the process name and arguments, specifically looking for "python" with "http.server" or "SimpleHTTPServer". +- Investigate the user account associated with the process to determine if it is a known or expected user for running such services. +- Examine the command line used to start the process for any unusual or suspicious patterns, especially if it involves shell usage like "bash" or "sh" with the command line containing "python -m http.server". +- Check the network activity from the host to identify any unusual outbound connections or data transfers that could indicate data exfiltration. +- Correlate the event with other logs or alerts from the same host to identify any preceding or subsequent suspicious activities that might suggest lateral movement or further exploitation attempts. +- Assess the host's security posture and recent changes to determine if there are any vulnerabilities or misconfigurations that could have been exploited to spawn the web server. + +### False positive analysis + +- Development and testing environments often use Python's HTTP server for legitimate purposes such as serving static files or testing web applications. To manage this, create exceptions for known development servers by excluding specific hostnames or IP addresses. +- Automated scripts or cron jobs may start a Python web server for routine tasks like file distribution within a controlled environment. Identify these scripts and exclude their execution paths or user accounts from the detection rule. +- Educational or training sessions might involve participants using Python's HTTP server to learn web technologies. Exclude these activities by setting time-based exceptions during scheduled training periods. +- System administrators might use Python's HTTP server for quick file transfers or troubleshooting. Document these use cases and exclude the associated user accounts or process command lines from triggering alerts. +- Internal tools or utilities developed in-house may rely on Python's HTTP server for functionality. Review these tools and exclude their specific command patterns or execution contexts from the detection rule. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement. +- Terminate the suspicious Python process identified by the detection rule to stop the unauthorized web server. +- Conduct a forensic analysis of the affected system to identify any data that may have been accessed or exfiltrated and to determine the initial access vector. +- Review and secure any exposed credentials or sensitive data that may have been compromised during the incident. +- Apply patches and updates to the affected system and any related software to mitigate vulnerabilities that may have been exploited. +- Implement network segmentation to limit the ability of unauthorized processes to communicate across the network. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery actions are taken.""" risk_score = 21 rule_id = "99c2b626-de44-4322-b1f9-157ca408c17e" setup = """## Setup @@ -58,6 +96,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -69,69 +108,35 @@ process where host.os.type == "linux" and event.type == "start" and ) ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Web Server Spawned via Python - -Python's built-in HTTP server module allows quick web server deployment, often used for testing or file sharing. Adversaries exploit this to exfiltrate data or facilitate lateral movement within networks. The detection rule identifies processes starting a Python-based server, focusing on command patterns and shell usage, to flag potential misuse on Linux systems. - -### Possible investigation steps - -- Review the process details to confirm the presence of a Python-based web server by checking the process name and arguments, specifically looking for "python" with "http.server" or "SimpleHTTPServer". -- Investigate the user account associated with the process to determine if it is a known or expected user for running such services. -- Examine the command line used to start the process for any unusual or suspicious patterns, especially if it involves shell usage like "bash" or "sh" with the command line containing "python -m http.server". -- Check the network activity from the host to identify any unusual outbound connections or data transfers that could indicate data exfiltration. -- Correlate the event with other logs or alerts from the same host to identify any preceding or subsequent suspicious activities that might suggest lateral movement or further exploitation attempts. -- Assess the host's security posture and recent changes to determine if there are any vulnerabilities or misconfigurations that could have been exploited to spawn the web server. - -### False positive analysis - -- Development and testing environments often use Python's HTTP server for legitimate purposes such as serving static files or testing web applications. To manage this, create exceptions for known development servers by excluding specific hostnames or IP addresses. -- Automated scripts or cron jobs may start a Python web server for routine tasks like file distribution within a controlled environment. Identify these scripts and exclude their execution paths or user accounts from the detection rule. -- Educational or training sessions might involve participants using Python's HTTP server to learn web technologies. Exclude these activities by setting time-based exceptions during scheduled training periods. -- System administrators might use Python's HTTP server for quick file transfers or troubleshooting. Document these use cases and exclude the associated user accounts or process command lines from triggering alerts. -- Internal tools or utilities developed in-house may rely on Python's HTTP server for functionality. Review these tools and exclude their specific command patterns or execution contexts from the detection rule. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement. -- Terminate the suspicious Python process identified by the detection rule to stop the unauthorized web server. -- Conduct a forensic analysis of the affected system to identify any data that may have been accessed or exfiltrated and to determine the initial access vector. -- Review and secure any exposed credentials or sensitive data that may have been compromised during the incident. -- Apply patches and updates to the affected system and any related software to mitigate vulnerabilities that may have been exploited. -- Implement network segmentation to limit the ability of unauthorized processes to communicate across the network. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery actions are taken.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" reference = "https://attack.mitre.org/techniques/T1059/006/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] -name = "Lateral Movement" id = "TA0008" +name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index c91ef9fb642..30f4cebcb1e 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -2,22 +2,54 @@ creation_date = "2024/07/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ This rule identifies when the openssl client or server is used to establish a connection. Attackers may use openssl to -establish a secure connection to a remote server or to create a secure server to receive connections. This activity -may be used to exfiltrate data or establish a command and control channel. +establish a secure connection to a remote server or to create a secure server to receive connections. This activity may +be used to exfiltrate data or establish a command and control channel. """ from = "now-9m" index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Openssl Client or Server Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Openssl Client or Server Activity + +OpenSSL is a widely-used toolkit for implementing secure communication via SSL/TLS protocols. In Linux environments, it can function as a client or server to encrypt data transmissions. Adversaries may exploit OpenSSL to establish encrypted channels for data exfiltration or command and control. The detection rule identifies suspicious OpenSSL usage by monitoring process execution patterns, specifically targeting atypical client-server interactions, while excluding known benign processes. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the "openssl" process with arguments indicating client or server activity, such as "s_client" with "-connect" or "s_server" with "-port". +- Check the parent process of the "openssl" execution to determine if it is a known benign process or if it is potentially suspicious, especially if it is not in the excluded list (e.g., "/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert"). +- Investigate the network connections established by the "openssl" process to identify the remote server's IP address and port, and assess whether these are known or potentially malicious. +- Analyze the timing and frequency of the "openssl" executions to determine if they align with normal operational patterns or if they suggest unusual or unauthorized activity. +- Correlate the "openssl" activity with other security events or logs to identify any related suspicious behavior, such as data exfiltration attempts or command and control communications. + +### False positive analysis + +- Known benign processes such as "/pro/xymon/client/ext/awsXymonCheck.sh" and "/opt/antidot-svc/nrpe/plugins/check_cert" are already excluded to reduce false positives. Ensure these paths are accurate and up-to-date in your environment. +- Regularly review and update the list of excluded parent processes to include any additional internal scripts or monitoring tools that frequently use OpenSSL for legitimate purposes. +- Monitor for any internal applications or services that may use OpenSSL in a similar manner and consider adding them to the exclusion list if they are verified as non-threatening. +- Implement logging and alerting to track the frequency and context of OpenSSL usage, which can help identify patterns that are consistently benign and warrant exclusion. +- Engage with system administrators to understand routine OpenSSL usage patterns in your environment, which can inform further refinement of the detection rule to minimize false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further data exfiltration or command and control activities. +- Terminate the suspicious OpenSSL process identified by the alert to halt any ongoing unauthorized encrypted communications. +- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unusual network connections or unauthorized file access. +- Review and update firewall rules to block unauthorized outbound connections from the affected system, focusing on the ports and IP addresses involved in the suspicious activity. +- Reset credentials and review access permissions for accounts on the affected system to prevent unauthorized access. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. +- Implement enhanced monitoring and logging for OpenSSL usage across the network to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" references = ["https://gtfobins.github.io/gtfobins/openssl/"] risk_score = 21 rule_id = "ad5a3757-c872-4719-8c72-12d3f08db655" @@ -55,10 +87,11 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.name == "openssl" and ( @@ -69,68 +102,35 @@ process where host.os.type == "linux" and event.type == "start" and event.action "/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert", "/etc/zabbix/scripts/check_dane_tlsa.sh" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Openssl Client or Server Activity - -OpenSSL is a widely-used toolkit for implementing secure communication via SSL/TLS protocols. In Linux environments, it can function as a client or server to encrypt data transmissions. Adversaries may exploit OpenSSL to establish encrypted channels for data exfiltration or command and control. The detection rule identifies suspicious OpenSSL usage by monitoring process execution patterns, specifically targeting atypical client-server interactions, while excluding known benign processes. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the "openssl" process with arguments indicating client or server activity, such as "s_client" with "-connect" or "s_server" with "-port". -- Check the parent process of the "openssl" execution to determine if it is a known benign process or if it is potentially suspicious, especially if it is not in the excluded list (e.g., "/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert"). -- Investigate the network connections established by the "openssl" process to identify the remote server's IP address and port, and assess whether these are known or potentially malicious. -- Analyze the timing and frequency of the "openssl" executions to determine if they align with normal operational patterns or if they suggest unusual or unauthorized activity. -- Correlate the "openssl" activity with other security events or logs to identify any related suspicious behavior, such as data exfiltration attempts or command and control communications. - -### False positive analysis - -- Known benign processes such as "/pro/xymon/client/ext/awsXymonCheck.sh" and "/opt/antidot-svc/nrpe/plugins/check_cert" are already excluded to reduce false positives. Ensure these paths are accurate and up-to-date in your environment. -- Regularly review and update the list of excluded parent processes to include any additional internal scripts or monitoring tools that frequently use OpenSSL for legitimate purposes. -- Monitor for any internal applications or services that may use OpenSSL in a similar manner and consider adding them to the exclusion list if they are verified as non-threatening. -- Implement logging and alerting to track the frequency and context of OpenSSL usage, which can help identify patterns that are consistently benign and warrant exclusion. -- Engage with system administrators to understand routine OpenSSL usage patterns in your environment, which can inform further refinement of the detection rule to minimize false positives. -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further data exfiltration or command and control activities. -- Terminate the suspicious OpenSSL process identified by the alert to halt any ongoing unauthorized encrypted communications. -- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unusual network connections or unauthorized file access. -- Review and update firewall rules to block unauthorized outbound connections from the affected system, focusing on the ports and IP addresses involved in the suspicious activity. -- Reset credentials and review access permissions for accounts on the affected system to prevent unauthorized access. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. -- Implement enhanced monitoring and logging for OpenSSL usage across the network to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 057f3fab8e6..7960e23158b 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,50 @@ Monitors for the execution of background processes with process arguments capabl channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Background Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Reverse Shell via Background Process + +In Linux environments, background processes can be manipulated to establish reverse shells, allowing adversaries to gain remote access. By exploiting shell commands to open network sockets, attackers can create backdoor connections. The detection rule identifies suspicious executions of background processes, like 'setsid' or 'nohup', with arguments indicating socket activity in '/dev/tcp', often initiated by common shell interpreters. This helps in flagging potential reverse shell activities for further investigation. + +### Possible investigation steps + +- Review the process details to confirm the presence of suspicious arguments, specifically looking for '/dev/tcp' in the process.args field, which indicates an attempt to open a network socket. +- Identify the parent process by examining the process.parent.name field to determine if it is one of the common shell interpreters like 'bash', 'dash', 'sh', etc., which could suggest a script-based execution. +- Check the user context under which the process was executed to assess if it aligns with expected user behavior or if it indicates potential compromise of a user account. +- Investigate the network activity associated with the host to identify any unusual outbound connections that could correlate with the reverse shell attempt. +- Correlate the event with other security alerts or logs from the same host to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern. +- Review historical data for similar process executions on the host to determine if this is an isolated incident or part of a recurring pattern. + +### False positive analysis + +- Legitimate administrative scripts may use background processes with network socket activity for maintenance tasks. Review the script's purpose and source to determine if it is authorized. +- Automated monitoring tools might execute commands that match the rule's criteria. Identify these tools and consider excluding their specific process names or paths from the rule. +- Development environments often run test scripts that open network connections. Verify the development context and exclude known development-related processes to reduce noise. +- Backup or synchronization software may use similar techniques to transfer data. Confirm the software's legitimacy and add exceptions for its processes if necessary. +- System updates or package management tools might trigger alerts when installing or updating software. Monitor these activities and whitelist trusted update processes. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious background processes identified by the alert, specifically those involving 'setsid' or 'nohup' with '/dev/tcp' in their arguments. +- Conduct a thorough review of the affected system's process and network activity logs to identify any additional indicators of compromise or lateral movement. +- Reset credentials for any accounts that were active on the affected system to prevent unauthorized access using potentially compromised credentials. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Implement network segmentation to limit the ability of compromised systems to communicate with critical infrastructure or sensitive data repositories. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" risk_score = 47 rule_id = "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39" setup = """## Setup @@ -65,41 +103,6 @@ process where host.os.type == "linux" and event.type == "start" and process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Reverse Shell via Background Process - -In Linux environments, background processes can be manipulated to establish reverse shells, allowing adversaries to gain remote access. By exploiting shell commands to open network sockets, attackers can create backdoor connections. The detection rule identifies suspicious executions of background processes, like 'setsid' or 'nohup', with arguments indicating socket activity in '/dev/tcp', often initiated by common shell interpreters. This helps in flagging potential reverse shell activities for further investigation. - -### Possible investigation steps - -- Review the process details to confirm the presence of suspicious arguments, specifically looking for '/dev/tcp' in the process.args field, which indicates an attempt to open a network socket. -- Identify the parent process by examining the process.parent.name field to determine if it is one of the common shell interpreters like 'bash', 'dash', 'sh', etc., which could suggest a script-based execution. -- Check the user context under which the process was executed to assess if it aligns with expected user behavior or if it indicates potential compromise of a user account. -- Investigate the network activity associated with the host to identify any unusual outbound connections that could correlate with the reverse shell attempt. -- Correlate the event with other security alerts or logs from the same host to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern. -- Review historical data for similar process executions on the host to determine if this is an isolated incident or part of a recurring pattern. - -### False positive analysis - -- Legitimate administrative scripts may use background processes with network socket activity for maintenance tasks. Review the script's purpose and source to determine if it is authorized. -- Automated monitoring tools might execute commands that match the rule's criteria. Identify these tools and consider excluding their specific process names or paths from the rule. -- Development environments often run test scripts that open network connections. Verify the development context and exclude known development-related processes to reduce noise. -- Backup or synchronization software may use similar techniques to transfer data. Confirm the software's legitimacy and add exceptions for its processes if necessary. -- System updates or package management tools might trigger alerts when installing or updating software. Monitor these activities and whitelist trusted update processes. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious background processes identified by the alert, specifically those involving 'setsid' or 'nohup' with '/dev/tcp' in their arguments. -- Conduct a thorough review of the affected system's process and network activity logs to identify any additional indicators of compromise or lateral movement. -- Reset credentials for any accounts that were active on the affected system to prevent unauthorized access using potentially compromised credentials. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Implement network segmentation to limit the ability of compromised systems to communicate with critical infrastructure or sensitive data repositories. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 9056e38af37..743df9ba2e4 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,40 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Content Extracted or Decompressed via Funzip + +Funzip is a utility used to decompress files directly from a stream, often employed in legitimate data processing tasks. However, adversaries can exploit this by combining it with the 'tail' command to extract and execute malicious payloads stealthily. The detection rule identifies this misuse by monitoring specific command sequences and excluding benign processes, thus flagging potential threats for further investigation. + +### Possible investigation steps + +- Review the process details to confirm the presence of the 'tail' and 'funzip' command sequence, focusing on the specific arguments used, such as "-c", to understand the context of the command execution. +- Examine the parent process information to determine if the process was initiated by any known benign executables or scripts, specifically checking against the exclusion list like "/usr/bin/dracut" or "/sbin/dracut". +- Investigate the command line history and execution context of the parent process, especially if it involves "sh" or "sudo", to identify any suspicious patterns or unauthorized script executions. +- Check the file path and content being accessed by the 'tail' command to ensure it is not targeting sensitive or unexpected files, excluding known benign paths like "/var/log/messages". +- Correlate the event with other security alerts or logs from the same host to identify any related suspicious activities or patterns that might indicate a broader compromise. +- Assess the risk and impact by determining if the decompressed content was executed or if it led to any subsequent suspicious processes or network connections. + +### False positive analysis + +- Legitimate system maintenance tasks may trigger this rule if they involve decompressing logs or data files using funzip. To manage this, identify and exclude specific maintenance scripts or processes that are known to use funzip in a non-threatening manner. +- Automated backup or data processing operations might use funzip in combination with tail for legitimate purposes. Review these operations and add exceptions for known benign processes or scripts that match this pattern. +- Security tools or monitoring solutions like Nessus may inadvertently trigger this rule if they use similar command sequences for scanning or data collection. Exclude these tools by adding exceptions for their specific command lines or parent processes. +- Custom scripts developed in-house for data analysis or processing might use funzip and tail together. Document these scripts and exclude them from the rule to prevent false positives, ensuring they are reviewed and approved by security teams. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread of the potential malware. +- Terminate any suspicious processes identified by the detection rule, specifically those involving the 'tail' and 'funzip' command sequence. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads. +- Review and analyze system logs and command history to identify any unauthorized access or additional malicious activities that may have occurred. +- Restore any compromised files or systems from known good backups to ensure integrity and availability of data. +- Implement application whitelisting to prevent unauthorized execution of utilities like 'funzip' and 'tail' by non-administrative users. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" references = ["https://attack.mitre.org/software/S0482/"] risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" @@ -68,40 +100,6 @@ not process.args : "/var/log/messages" and not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Content Extracted or Decompressed via Funzip - -Funzip is a utility used to decompress files directly from a stream, often employed in legitimate data processing tasks. However, adversaries can exploit this by combining it with the 'tail' command to extract and execute malicious payloads stealthily. The detection rule identifies this misuse by monitoring specific command sequences and excluding benign processes, thus flagging potential threats for further investigation. - -### Possible investigation steps - -- Review the process details to confirm the presence of the 'tail' and 'funzip' command sequence, focusing on the specific arguments used, such as "-c", to understand the context of the command execution. -- Examine the parent process information to determine if the process was initiated by any known benign executables or scripts, specifically checking against the exclusion list like "/usr/bin/dracut" or "/sbin/dracut". -- Investigate the command line history and execution context of the parent process, especially if it involves "sh" or "sudo", to identify any suspicious patterns or unauthorized script executions. -- Check the file path and content being accessed by the 'tail' command to ensure it is not targeting sensitive or unexpected files, excluding known benign paths like "/var/log/messages". -- Correlate the event with other security alerts or logs from the same host to identify any related suspicious activities or patterns that might indicate a broader compromise. -- Assess the risk and impact by determining if the decompressed content was executed or if it led to any subsequent suspicious processes or network connections. - -### False positive analysis - -- Legitimate system maintenance tasks may trigger this rule if they involve decompressing logs or data files using funzip. To manage this, identify and exclude specific maintenance scripts or processes that are known to use funzip in a non-threatening manner. -- Automated backup or data processing operations might use funzip in combination with tail for legitimate purposes. Review these operations and add exceptions for known benign processes or scripts that match this pattern. -- Security tools or monitoring solutions like Nessus may inadvertently trigger this rule if they use similar command sequences for scanning or data collection. Exclude these tools by adding exceptions for their specific command lines or parent processes. -- Custom scripts developed in-house for data analysis or processing might use funzip and tail together. Document these scripts and exclude them from the rule to prevent false positives, ensuring they are reviewed and approved by security teams. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread of the potential malware. -- Terminate any suspicious processes identified by the detection rule, specifically those involving the 'tail' and 'funzip' command sequence. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads. -- Review and analyze system logs and command history to identify any unauthorized access or additional malicious activities that may have occurred. -- Restore any compromised files or systems from known good backups to ensure integrity and availability of data. -- Implement application whitelisting to prevent unauthorized execution of utilities like 'funzip' and 'tail' by non-administrative users. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" [[rule.threat]] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 75a52429d9f..dae3affd53a 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.file*", "lo language = "eql" license = "Elastic License v2" name = "Suspicious Mining Process Creation Event" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Mining Process Creation Event + +Cryptomining exploits system resources to mine cryptocurrency, often without user consent, impacting performance and security. Adversaries may deploy mining services on Linux systems, disguising them as legitimate processes. The detection rule identifies the creation of known mining service files, signaling potential unauthorized mining activity. By monitoring these specific file creation events, security teams can swiftly respond to and mitigate cryptomining threats. + +### Possible investigation steps + +- Review the alert details to identify which specific mining service file was created, focusing on the file names listed in the query such as "aliyun.service" or "moneroocean_miner.service". +- Check the creation timestamp of the suspicious file to determine when the potential unauthorized mining activity began. +- Investigate the process that created the file by examining system logs or using process monitoring tools to identify the parent process and any associated command-line arguments. +- Analyze the system for additional indicators of compromise, such as unexpected network connections or high CPU usage, which may suggest active cryptomining. +- Verify the legitimacy of the file by comparing it against known hashes of legitimate services or using threat intelligence sources to identify known malicious files. +- Assess the system for any other suspicious activities or anomalies that may indicate further compromise or persistence mechanisms. + +### False positive analysis + +- Legitimate administrative scripts or services may create files with names similar to known mining services. Verify the origin and purpose of such files before taking action. +- System administrators might deploy custom monitoring or management services that inadvertently match the file names in the detection rule. Review and whitelist these services if they are confirmed to be non-threatening. +- Automated deployment tools or scripts could create service files as part of routine operations. Ensure these tools are properly documented and exclude them from the detection rule if they are verified as safe. +- Some legitimate software installations might use generic service names that overlap with those flagged by the rule. Cross-check with software documentation and exclude these from alerts if they are confirmed to be benign. + +### Response and remediation + +- Isolate the affected Linux system from the network to prevent further unauthorized mining activity and potential lateral movement by the adversary. +- Terminate any suspicious processes associated with the identified mining services, such as aliyun.service, moneroocean_miner.service, or others listed in the detection query. +- Remove the malicious service files from the system to prevent them from being restarted or reused by the attacker. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. +- Review and update system and application patches to close any vulnerabilities that may have been exploited to deploy the mining services. +- Monitor network traffic for unusual outbound connections that may indicate communication with mining pools or command and control servers, and block these connections if detected. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" risk_score = 47 rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2" setup = """## Setup @@ -63,40 +95,6 @@ query = ''' file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Mining Process Creation Event - -Cryptomining exploits system resources to mine cryptocurrency, often without user consent, impacting performance and security. Adversaries may deploy mining services on Linux systems, disguising them as legitimate processes. The detection rule identifies the creation of known mining service files, signaling potential unauthorized mining activity. By monitoring these specific file creation events, security teams can swiftly respond to and mitigate cryptomining threats. - -### Possible investigation steps - -- Review the alert details to identify which specific mining service file was created, focusing on the file names listed in the query such as "aliyun.service" or "moneroocean_miner.service". -- Check the creation timestamp of the suspicious file to determine when the potential unauthorized mining activity began. -- Investigate the process that created the file by examining system logs or using process monitoring tools to identify the parent process and any associated command-line arguments. -- Analyze the system for additional indicators of compromise, such as unexpected network connections or high CPU usage, which may suggest active cryptomining. -- Verify the legitimacy of the file by comparing it against known hashes of legitimate services or using threat intelligence sources to identify known malicious files. -- Assess the system for any other suspicious activities or anomalies that may indicate further compromise or persistence mechanisms. - -### False positive analysis - -- Legitimate administrative scripts or services may create files with names similar to known mining services. Verify the origin and purpose of such files before taking action. -- System administrators might deploy custom monitoring or management services that inadvertently match the file names in the detection rule. Review and whitelist these services if they are confirmed to be non-threatening. -- Automated deployment tools or scripts could create service files as part of routine operations. Ensure these tools are properly documented and exclude them from the detection rule if they are verified as safe. -- Some legitimate software installations might use generic service names that overlap with those flagged by the rule. Cross-check with software documentation and exclude these from alerts if they are confirmed to be benign. - -### Response and remediation - -- Isolate the affected Linux system from the network to prevent further unauthorized mining activity and potential lateral movement by the adversary. -- Terminate any suspicious processes associated with the identified mining services, such as aliyun.service, moneroocean_miner.service, or others listed in the detection query. -- Remove the malicious service files from the system to prevent them from being restarted or reused by the attacker. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. -- Review and update system and application patches to close any vulnerabilities that may have been exploited to deploy the mining services. -- Monitor network traffic for unusual outbound connections that may indicate communication with mining pools or command and control servers, and block these connections if detected. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index ddd276f3160..63e0623347c 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/07" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,40 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "BPF filter applied using TC" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating BPF filter applied using TC + +BPF (Berkeley Packet Filter) is a powerful tool for network traffic analysis and control, often used with the `tc` command to manage traffic on Linux systems. Adversaries may exploit this by setting BPF filters to manipulate or monitor network traffic covertly. The detection rule identifies suspicious use of `tc` to apply BPF filters, flagging potential misuse by checking for specific command patterns and excluding legitimate processes. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the `/usr/sbin/tc` command with arguments "filter", "add", and "bpf" to ensure the alert is not a false positive. +- Investigate the parent process of the `tc` command to determine if it is a known legitimate process or if it appears suspicious, especially since the rule excludes `/usr/sbin/libvirtd`. +- Check the user account associated with the process execution to assess if it is a privileged account and whether the activity aligns with the user's typical behavior. +- Analyze network traffic logs around the time of the alert to identify any unusual patterns or connections that may indicate malicious activity. +- Correlate this event with other security alerts or logs to identify if this is part of a broader attack pattern or campaign, such as the use of the TripleCross threat. +- Review system logs for any other suspicious activities or anomalies that occurred before or after the alert to gather additional context. + +### False positive analysis + +- Legitimate use of tc by virtualization software like libvirtd can trigger the rule. To handle this, exclude processes where the parent executable is /usr/sbin/libvirtd, as indicated in the rule. +- Network administrators may use tc with BPF filters for legitimate traffic management tasks. Identify and document these use cases, then create exceptions for specific command patterns or user accounts involved in these activities. +- Automated scripts or system management tools that configure network interfaces might use tc with BPF filters. Review these scripts and tools, and if they are verified as safe, exclude their process signatures from triggering the rule. +- Regular audits of network configurations can help distinguish between legitimate and suspicious use of BPF filters. Implement a process to regularly review and update exceptions based on these audits to minimize false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further manipulation or monitoring of network traffic by the adversary. +- Terminate the suspicious `tc` process to stop any ongoing malicious activity related to the BPF filter application. +- Conduct a thorough review of network traffic logs to identify any unauthorized data exfiltration or communication with known malicious IP addresses. +- Restore the affected system from a known good backup to ensure that no malicious configurations or software persist. +- Implement network segmentation to limit the potential impact of similar threats in the future, ensuring critical systems are isolated from less secure areas. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised. +- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar suspicious activities involving `tc` and BPF filters.""" references = [ "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", "https://man7.org/linux/man-pages/man8/tc.8.html", @@ -70,40 +102,6 @@ process where host.os.type == "linux" and event.type == "start" and process.exec process.args == "filter" and process.args == "add" and process.args == "bpf" and not process.parent.executable == "/usr/sbin/libvirtd" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating BPF filter applied using TC - -BPF (Berkeley Packet Filter) is a powerful tool for network traffic analysis and control, often used with the `tc` command to manage traffic on Linux systems. Adversaries may exploit this by setting BPF filters to manipulate or monitor network traffic covertly. The detection rule identifies suspicious use of `tc` to apply BPF filters, flagging potential misuse by checking for specific command patterns and excluding legitimate processes. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the `/usr/sbin/tc` command with arguments "filter", "add", and "bpf" to ensure the alert is not a false positive. -- Investigate the parent process of the `tc` command to determine if it is a known legitimate process or if it appears suspicious, especially since the rule excludes `/usr/sbin/libvirtd`. -- Check the user account associated with the process execution to assess if it is a privileged account and whether the activity aligns with the user's typical behavior. -- Analyze network traffic logs around the time of the alert to identify any unusual patterns or connections that may indicate malicious activity. -- Correlate this event with other security alerts or logs to identify if this is part of a broader attack pattern or campaign, such as the use of the TripleCross threat. -- Review system logs for any other suspicious activities or anomalies that occurred before or after the alert to gather additional context. - -### False positive analysis - -- Legitimate use of tc by virtualization software like libvirtd can trigger the rule. To handle this, exclude processes where the parent executable is /usr/sbin/libvirtd, as indicated in the rule. -- Network administrators may use tc with BPF filters for legitimate traffic management tasks. Identify and document these use cases, then create exceptions for specific command patterns or user accounts involved in these activities. -- Automated scripts or system management tools that configure network interfaces might use tc with BPF filters. Review these scripts and tools, and if they are verified as safe, exclude their process signatures from triggering the rule. -- Regular audits of network configurations can help distinguish between legitimate and suspicious use of BPF filters. Implement a process to regularly review and update exceptions based on these audits to minimize false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further manipulation or monitoring of network traffic by the adversary. -- Terminate the suspicious `tc` process to stop any ongoing malicious activity related to the BPF filter application. -- Conduct a thorough review of network traffic logs to identify any unauthorized data exfiltration or communication with known malicious IP addresses. -- Restore the affected system from a known good backup to ensure that no malicious configurations or software persist. -- Implement network segmentation to limit the potential impact of similar threats in the future, ensuring critical systems are isolated from less secure areas. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised. -- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar suspicious activities involving `tc` and BPF filters.""" [[rule.threat]] diff --git a/rules/linux/execution_unix_socket_communication.toml b/rules/linux/execution_unix_socket_communication.toml index 848168d4fe8..04f5a0d5c86 100644 --- a/rules/linux/execution_unix_socket_communication.toml +++ b/rules/linux/execution_unix_socket_communication.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/03/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,42 +13,17 @@ privileges or set up malicious communication channels via Unix sockets for inter evade detection. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unix Socket Connection" -risk_score = 21 -rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and - ( - (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and - process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or - (process.name == "socat" and - process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*")) or - (process.name == "curl" and process.args : ("--unix-socket", "--abstract-unix-socket")) -) and -not ( - process.args == "/var/run/libvirt/libvirt-sock" or - process.parent.name in ("bundle", "ruby", "haproxystatus.sh") -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,16 +59,51 @@ Unix sockets facilitate efficient inter-process communication (IPC) on the same - Apply patches or configuration changes to address any vulnerabilities or misconfigurations identified during the investigation. - Monitor the affected system and network for any signs of recurring suspicious activity, focusing on Unix socket connections. - Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.""" +risk_score = 21 +rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and + ( + (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and + process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or + (process.name == "socat" and + process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*")) or + (process.name == "curl" and process.args : ("--unix-socket", "--abstract-unix-socket")) +) and +not ( + process.args == "/var/run/libvirt/libvirt-sock" or + process.parent.name in ("bundle", "ruby", "haproxystatus.sh") +) +''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_unusual_interactive_process_inside_container.toml b/rules/linux/execution_unusual_interactive_process_inside_container.toml new file mode 100644 index 00000000000..c70bddf41de --- /dev/null +++ b/rules/linux/execution_unusual_interactive_process_inside_container.toml @@ -0,0 +1,87 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when an unusual interactive process is launched inside a container. Interactive processes are typically +run in the foreground and require user input, which is unusual behavior for a containerized environment. This activity +could indicate an attacker attempting to gain access to the container environment or perform malicious actions. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Interactive Process Launched in a Container" +risk_score = 47 +rule_id = "7020ff25-76d7-4a7d-b95b-266cf27d70e8" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.category:process and host.os.type:linux and event.type:start and event.action:exec and +process.entry_leader.entry_meta.type:container and process.interactive:true +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["process.name"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/linux/execution_unusual_pkexec_execution.toml b/rules/linux/execution_unusual_pkexec_execution.toml index 9fe32073236..28e05736054 100644 --- a/rules/linux/execution_unusual_pkexec_execution.toml +++ b/rules/linux/execution_unusual_pkexec_execution.toml @@ -2,23 +2,60 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/23" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects the execution of the `pkexec` command by a shell process. The `pkexec` command is used to -execute programs as another user, typically as the superuser. Through the `new_terms` rule type, unusual -executions of `pkexec` are identified, and may indicate an attempt to escalate privileges or perform -unauthorized actions on the system. +This rule detects the execution of the `pkexec` command by a shell process. The `pkexec` command is used to execute +programs as another user, typically as the superuser. Through the `new_terms` rule type, unusual executions of `pkexec` +are identified, and may indicate an attempt to escalate privileges or perform unauthorized actions on the system. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", +] language = "kuery" license = "Elastic License v2" name = "Unusual Pkexec Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Pkexec Execution + +`Pkexec` is a command-line utility in Linux environments that allows users to execute commands as another user, often with elevated privileges. Adversaries may exploit `pkexec` to escalate privileges or execute unauthorized actions by invoking it through shell processes. The detection rule identifies atypical `pkexec` executions initiated by common shell interpreters, flagging potential misuse by monitoring specific process attributes and execution patterns. + +### Possible investigation steps + +- Review the process tree to understand the context of the pkexec execution, focusing on the parent process names such as bash, dash, sh, tcsh, csh, zsh, ksh, or fish, as these are indicative of shell-based invocations. +- Examine the command-line arguments passed to pkexec to determine the intended action and assess whether it aligns with expected administrative tasks or appears suspicious. +- Check the user account associated with the pkexec execution to verify if the account has legitimate reasons to perform such actions, and investigate any anomalies in user behavior or account activity. +- Investigate the timing and frequency of the pkexec executions to identify patterns or correlations with other suspicious activities or known attack timelines. +- Cross-reference the alert with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Crowdstrike, or SentinelOne to gather additional context and corroborate findings. +- Assess the system's current state for signs of compromise, such as unauthorized changes, unexpected network connections, or the presence of known malicious files or processes. + +### False positive analysis + +- Routine administrative tasks: System administrators may use pkexec for legitimate purposes, such as performing maintenance tasks. To handle this, create exceptions for known administrator accounts or specific maintenance scripts that regularly invoke pkexec. +- Automated scripts: Some automated scripts or cron jobs might use pkexec to perform scheduled tasks. Identify these scripts and exclude their specific process names or paths from the rule to prevent false alerts. +- Software updates: Certain software update processes might use pkexec to apply patches or updates. Monitor and document these processes, then configure exceptions for recognized update mechanisms. +- Development environments: Developers might use pkexec during testing or development. Establish a list of development machines or user accounts and exclude them from the rule to reduce noise. +- Custom user applications: Users may have custom applications that require pkexec for legitimate functionality. Review these applications and whitelist their specific execution patterns to avoid unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate any suspicious `pkexec` processes identified by the alert to halt unauthorized actions or privilege escalation attempts. +- Review and analyze the parent shell process and its command history to understand the context and origin of the `pkexec` execution. +- Reset credentials and review permissions for the user accounts involved to mitigate any unauthorized access or privilege escalation. +- Conduct a thorough scan of the affected system for additional indicators of compromise or persistence mechanisms that may have been deployed. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Update and enhance monitoring rules to detect similar `pkexec` misuse attempts in the future, ensuring comprehensive coverage of shell processes and privilege escalation activities.""" risk_score = 21 rule_id = "3ca81a95-d5af-4b77-b0ad-b02bc746f640" setup = """## Setup @@ -72,68 +109,34 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event or start or ProcessRollup2) and process.name:pkexec and process.args:pkexec and process.parent.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Pkexec Execution - -`Pkexec` is a command-line utility in Linux environments that allows users to execute commands as another user, often with elevated privileges. Adversaries may exploit `pkexec` to escalate privileges or execute unauthorized actions by invoking it through shell processes. The detection rule identifies atypical `pkexec` executions initiated by common shell interpreters, flagging potential misuse by monitoring specific process attributes and execution patterns. - -### Possible investigation steps - -- Review the process tree to understand the context of the pkexec execution, focusing on the parent process names such as bash, dash, sh, tcsh, csh, zsh, ksh, or fish, as these are indicative of shell-based invocations. -- Examine the command-line arguments passed to pkexec to determine the intended action and assess whether it aligns with expected administrative tasks or appears suspicious. -- Check the user account associated with the pkexec execution to verify if the account has legitimate reasons to perform such actions, and investigate any anomalies in user behavior or account activity. -- Investigate the timing and frequency of the pkexec executions to identify patterns or correlations with other suspicious activities or known attack timelines. -- Cross-reference the alert with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Crowdstrike, or SentinelOne to gather additional context and corroborate findings. -- Assess the system's current state for signs of compromise, such as unauthorized changes, unexpected network connections, or the presence of known malicious files or processes. - -### False positive analysis - -- Routine administrative tasks: System administrators may use pkexec for legitimate purposes, such as performing maintenance tasks. To handle this, create exceptions for known administrator accounts or specific maintenance scripts that regularly invoke pkexec. -- Automated scripts: Some automated scripts or cron jobs might use pkexec to perform scheduled tasks. Identify these scripts and exclude their specific process names or paths from the rule to prevent false alerts. -- Software updates: Certain software update processes might use pkexec to apply patches or updates. Monitor and document these processes, then configure exceptions for recognized update mechanisms. -- Development environments: Developers might use pkexec during testing or development. Establish a list of development machines or user accounts and exclude them from the rule to reduce noise. -- Custom user applications: Users may have custom applications that require pkexec for legitimate functionality. Review these applications and whitelist their specific execution patterns to avoid unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. -- Terminate any suspicious `pkexec` processes identified by the alert to halt unauthorized actions or privilege escalation attempts. -- Review and analyze the parent shell process and its command history to understand the context and origin of the `pkexec` execution. -- Reset credentials and review permissions for the user accounts involved to mitigate any unauthorized access or privilege escalation. -- Conduct a thorough scan of the affected system for additional indicators of compromise or persistence mechanisms that may have been deployed. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Update and enhance monitoring rules to detect similar `pkexec` misuse attempts in the future, ensuring comprehensive coverage of shell processes and privilege escalation activities.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -142,7 +145,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 3b1a1f4a34a..fe0af03f5a4 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,50 @@ for exfiltration on Linux systems. Data splitting is a technique used by adversa avoid detection and exfiltrate data. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Data Splitting Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Data Splitting Detected + +Data splitting utilities on Linux, such as `dd` and `split`, are typically used for managing large files by dividing them into smaller, more manageable parts. Adversaries exploit these tools to covertly exfiltrate data by splitting it into inconspicuous segments. The detection rule identifies suspicious use of these utilities by monitoring specific command-line arguments and excluding benign processes, thereby flagging potential exfiltration activities. + +### Possible investigation steps + +- Review the process details to confirm the use of data splitting utilities like 'dd', 'split', or 'rsplit' with suspicious arguments such as 'bs=*', 'if=*', '-b', or '--bytes*'. +- Examine the parent process name to ensure it is not a benign process like 'apport' or 'overlayroot', which are excluded in the rule. +- Investigate the source and destination paths specified in the process arguments to determine if they involve sensitive or unusual locations, excluding paths like '/tmp/nvim*', '/boot/*', or '/dev/urandom'. +- Check the user account associated with the process to assess if it has a history of legitimate use of these utilities or if it might be compromised. +- Analyze recent network activity from the host to identify any potential data exfiltration attempts, especially if the process involves external connections. +- Correlate this alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise. + +### False positive analysis + +- Processes related to system maintenance or updates, such as those initiated by the 'apport' or 'overlayroot' processes, may trigger false positives. Users can mitigate this by ensuring these parent processes are included in the exclusion list. +- Backup operations that use 'dd' or 'split' for legitimate data management tasks can be mistaken for exfiltration attempts. Exclude specific backup scripts or processes by adding their unique identifiers or arguments to the exclusion criteria. +- Development or testing environments where 'dd' or 'split' are used for creating test data or simulating data transfer can generate false alerts. Identify and exclude these environments by specifying their process names or argument patterns. +- Automated scripts that use 'dd' or 'split' for routine data processing tasks should be reviewed and, if benign, added to the exclusion list to prevent unnecessary alerts. +- Regular system operations involving '/dev/random', '/dev/urandom', or similar sources should be excluded, as these are common in non-malicious contexts and are already partially covered by the rule's exclusions. + +### Response and remediation + +- Immediately isolate the affected Linux system from the network to prevent further data exfiltration. +- Terminate any suspicious processes identified by the detection rule, specifically those involving the `dd`, `split`, or `rsplit` utilities with the flagged arguments. +- Conduct a thorough review of recent file access and modification logs to identify any unauthorized data handling or exfiltration attempts. +- Restore any potentially compromised data from secure backups, ensuring that the restored data is free from any malicious alterations. +- Implement stricter access controls and monitoring on sensitive data directories to prevent unauthorized access and manipulation. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected. +- Enhance monitoring and alerting for similar suspicious activities by integrating additional threat intelligence sources and refining detection capabilities.""" risk_score = 21 rule_id = "e302e6c3-448c-4243-8d9b-d41da70db582" setup = """## Setup @@ -55,10 +93,11 @@ tags = [ "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -80,46 +119,13 @@ process where host.os.type == "linux" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Data Splitting Detected - -Data splitting utilities on Linux, such as `dd` and `split`, are typically used for managing large files by dividing them into smaller, more manageable parts. Adversaries exploit these tools to covertly exfiltrate data by splitting it into inconspicuous segments. The detection rule identifies suspicious use of these utilities by monitoring specific command-line arguments and excluding benign processes, thereby flagging potential exfiltration activities. - -### Possible investigation steps - -- Review the process details to confirm the use of data splitting utilities like 'dd', 'split', or 'rsplit' with suspicious arguments such as 'bs=*', 'if=*', '-b', or '--bytes*'. -- Examine the parent process name to ensure it is not a benign process like 'apport' or 'overlayroot', which are excluded in the rule. -- Investigate the source and destination paths specified in the process arguments to determine if they involve sensitive or unusual locations, excluding paths like '/tmp/nvim*', '/boot/*', or '/dev/urandom'. -- Check the user account associated with the process to assess if it has a history of legitimate use of these utilities or if it might be compromised. -- Analyze recent network activity from the host to identify any potential data exfiltration attempts, especially if the process involves external connections. -- Correlate this alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise. -### False positive analysis - -- Processes related to system maintenance or updates, such as those initiated by the 'apport' or 'overlayroot' processes, may trigger false positives. Users can mitigate this by ensuring these parent processes are included in the exclusion list. -- Backup operations that use 'dd' or 'split' for legitimate data management tasks can be mistaken for exfiltration attempts. Exclude specific backup scripts or processes by adding their unique identifiers or arguments to the exclusion criteria. -- Development or testing environments where 'dd' or 'split' are used for creating test data or simulating data transfer can generate false alerts. Identify and exclude these environments by specifying their process names or argument patterns. -- Automated scripts that use 'dd' or 'split' for routine data processing tasks should be reviewed and, if benign, added to the exclusion list to prevent unnecessary alerts. -- Regular system operations involving '/dev/random', '/dev/urandom', or similar sources should be excluded, as these are common in non-malicious contexts and are already partially covered by the rule's exclusions. - -### Response and remediation - -- Immediately isolate the affected Linux system from the network to prevent further data exfiltration. -- Terminate any suspicious processes identified by the detection rule, specifically those involving the `dd`, `split`, or `rsplit` utilities with the flagged arguments. -- Conduct a thorough review of recent file access and modification logs to identify any unauthorized data handling or exfiltration attempts. -- Restore any potentially compromised data from secure backups, ensuring that the restored data is free from any malicious alterations. -- Implement stricter access controls and monitoring on sensitive data directories to prevent unauthorized access and manipulation. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected. -- Enhance monitoring and alerting for similar suspicious activities by integrating additional threat intelligence sources and refining detection capabilities.""" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index 4511e11ce2a..f3520928930 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,23 +2,55 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule leverages ES|QL to detect the execution of unusual file transfer utilities on Linux systems. -Attackers may use these utilities to exfiltrate data from a compromised system. ES|QL rules have -limited fields available in its alert documents. Make sure to review the original documents to aid -in the investigation of this alert. +This rule leverages ES|QL to detect the execution of unusual file transfer utilities on Linux systems. Attackers may use +these utilities to exfiltrate data from a compromised system. ES|QL rules have limited fields available in its alert +documents. Make sure to review the original documents to aid in the investigation of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "Unusual File Transfer Utility Launched" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual File Transfer Utility Launched + +File transfer utilities like scp, ftp, and rsync are essential for data movement in Linux environments. However, adversaries can exploit these tools to exfiltrate sensitive data. The detection rule identifies suspicious executions of these utilities by monitoring process activities, focusing on rare occurrences and unique agent IDs, which may indicate unauthorized data transfers. This helps in early detection of potential data breaches. + +### Possible investigation steps + +- Review the process.command_line field to understand the exact command executed and assess if it aligns with typical usage patterns or if it appears suspicious. +- Examine the process.parent.executable field to determine the parent process that initiated the file transfer utility, which may provide insights into whether the execution was part of a legitimate workflow or potentially malicious activity. +- Check the agent.id field to identify the specific host involved in the alert and correlate it with other security events or logs from the same host to gather additional context. +- Investigate the @timestamp field to verify the timing of the event and cross-reference with any known scheduled tasks or user activities that could explain the execution. +- Analyze the host.os.type field to confirm the operating system and ensure that the alert pertains to a Linux environment, as expected by the rule. + +### False positive analysis + +- Routine administrative tasks using file transfer utilities may trigger alerts. Regularly scheduled backups or updates using scp, rsync, or ftp should be documented and excluded from alerts by creating exceptions for known scripts or cron jobs. +- Automated system updates or patches that utilize these utilities can be mistaken for suspicious activity. Identify and whitelist the processes and command lines associated with these updates to prevent false positives. +- Internal data transfers between trusted servers for legitimate business purposes might be flagged. Establish a list of trusted agent IDs and exclude them from the rule to avoid unnecessary alerts. +- Development and testing environments often use these utilities for transferring test data. Ensure that these environments are recognized and excluded by specifying their hostnames or IP addresses in the rule configuration. +- User-initiated file transfers for legitimate reasons, such as data analysis or reporting, can be misinterpreted. Educate users to notify the security team of such activities in advance, allowing for temporary exceptions to be made. + +### Response and remediation + +- Immediately isolate the affected Linux system from the network to prevent further data exfiltration and unauthorized access. +- Terminate any suspicious file transfer processes identified by the alert, such as scp, ftp, or rsync, to halt ongoing data transfers. +- Conduct a thorough review of the process command lines and parent executables to identify any malicious scripts or unauthorized software that initiated the file transfer. +- Change credentials and access keys associated with the compromised system to prevent further unauthorized access. +- Escalate the incident to the security operations team for a deeper forensic analysis to determine the extent of the breach and identify any additional compromised systems. +- Implement network monitoring to detect any further attempts of unauthorized file transfers or suspicious activities from the affected system. +- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future. +""" risk_score = 21 rule_id = "8eeeda11-dca6-4c3e-910f-7089db412d1c" setup = """## Setup @@ -55,33 +87,36 @@ tags = [ "Tactic: Exfiltration", "Tactic: Execution", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.process-* -| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, process.command_line, agent.id +| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, process.command_line, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("scp", "ftp", "sftp", "vsftpd", "sftp-server", "rsync") -| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.parent.executable, process.command_line +| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.executable, process.parent.executable, process.command_line | where agent_count == 1 and cc < 5 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" - +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index d39b8f1763d..b0dd5c06c53 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -2,9 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Memory Swap Modification" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Memory Swap Modification + +Memory swap in Linux systems manages RAM by moving inactive pages to disk, freeing up memory for active processes. Adversaries exploit this by altering swap settings to degrade performance or deploy resource-intensive malware like cryptominers. The detection rule identifies suspicious activities by monitoring processes that modify swap settings or execute related commands, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Review the process details to identify the parent process using the field process.parent.executable. This can help determine if the swap modification was initiated by a legitimate or suspicious parent process. +- Examine the command line arguments captured in process.command_line to understand the specific changes made to swap settings, such as modifications to vm.swappiness. +- Check the user account associated with the process to determine if the action was performed by a privileged or unauthorized user. +- Investigate any recent system performance issues or anomalies that could be linked to swap modifications, such as increased CPU or memory usage. +- Correlate the event with other security alerts or logs to identify if this activity is part of a larger pattern of suspicious behavior, such as the presence of cryptomining software like XMRig. +- Assess the system for any unauthorized software installations or configurations that could indicate a compromise, focusing on resource-intensive applications. + +### False positive analysis + +- System administrators may frequently modify swap settings during routine maintenance or performance tuning. To handle this, create exceptions for known administrator accounts or specific maintenance scripts. +- Automated configuration management tools like Ansible or Puppet might execute commands that alter swap settings. Identify these tools and exclude their processes from triggering alerts. +- Some legitimate applications may adjust swap settings to optimize their performance. Monitor and whitelist these applications to prevent unnecessary alerts. +- Development environments often experiment with system settings, including swap configurations. Consider excluding processes from known development environments or specific user accounts associated with development activities. +- Scheduled tasks or cron jobs might include swap modification commands for system optimization. Review and whitelist these tasks if they are verified as non-threatening. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or impact of the potential malware. +- Terminate any suspicious processes identified by the detection rule, such as those involving "swapon", "swapoff", or unauthorized modifications to "vm.swappiness". +- Conduct a thorough scan of the isolated system using updated antivirus or anti-malware tools to identify and remove any malicious software, particularly cryptominers like XMRig. +- Review and restore swap settings to their default or secure configurations to ensure system stability and performance. +- Implement monitoring for any further unauthorized changes to swap settings or related processes to detect and respond to similar threats promptly. +- Escalate the incident to the security operations team for a detailed forensic analysis to understand the scope and origin of the attack. +- Update system and security patches to close any vulnerabilities that may have been exploited by the adversary.""" risk_score = 21 rule_id = "5e4023e7-6357-4061-ae1c-9df33e78c674" setup = """## Setup @@ -61,6 +94,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.parent.executable != null and @@ -75,69 +109,35 @@ process.name in ("swapon", "swapoff") or ( ) and not process.parent.name in ("lynis", "systemd", "end-zram-swapping", "SyxsenseResponder", "tuned", "platform-python", "timeout") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Memory Swap Modification - -Memory swap in Linux systems manages RAM by moving inactive pages to disk, freeing up memory for active processes. Adversaries exploit this by altering swap settings to degrade performance or deploy resource-intensive malware like cryptominers. The detection rule identifies suspicious activities by monitoring processes that modify swap settings or execute related commands, flagging potential misuse for further investigation. - -### Possible investigation steps - -- Review the process details to identify the parent process using the field process.parent.executable. This can help determine if the swap modification was initiated by a legitimate or suspicious parent process. -- Examine the command line arguments captured in process.command_line to understand the specific changes made to swap settings, such as modifications to vm.swappiness. -- Check the user account associated with the process to determine if the action was performed by a privileged or unauthorized user. -- Investigate any recent system performance issues or anomalies that could be linked to swap modifications, such as increased CPU or memory usage. -- Correlate the event with other security alerts or logs to identify if this activity is part of a larger pattern of suspicious behavior, such as the presence of cryptomining software like XMRig. -- Assess the system for any unauthorized software installations or configurations that could indicate a compromise, focusing on resource-intensive applications. - -### False positive analysis - -- System administrators may frequently modify swap settings during routine maintenance or performance tuning. To handle this, create exceptions for known administrator accounts or specific maintenance scripts. -- Automated configuration management tools like Ansible or Puppet might execute commands that alter swap settings. Identify these tools and exclude their processes from triggering alerts. -- Some legitimate applications may adjust swap settings to optimize their performance. Monitor and whitelist these applications to prevent unnecessary alerts. -- Development environments often experiment with system settings, including swap configurations. Consider excluding processes from known development environments or specific user accounts associated with development activities. -- Scheduled tasks or cron jobs might include swap modification commands for system optimization. Review and whitelist these tasks if they are verified as non-threatening. - -### Response and remediation -- Immediately isolate the affected system from the network to prevent further spread or impact of the potential malware. -- Terminate any suspicious processes identified by the detection rule, such as those involving "swapon", "swapoff", or unauthorized modifications to "vm.swappiness". -- Conduct a thorough scan of the isolated system using updated antivirus or anti-malware tools to identify and remove any malicious software, particularly cryptominers like XMRig. -- Review and restore swap settings to their default or secure configurations to ensure system stability and performance. -- Implement monitoring for any further unauthorized changes to swap settings or related processes to detect and respond to similar threats promptly. -- Escalate the incident to the security operations team for a detailed forensic analysis to understand the scope and origin of the attack. -- Update system and security patches to close any vulnerabilities that may have been exploited by the adversary.""" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" - [rule.threat.tactic] - name = "Impact" - id = "TA0040" - reference = "https://attack.mitre.org/tactics/TA0040/" - - [[rule.threat.technique]] - name = "Resource Hijacking" - id = "T1496" - reference = "https://attack.mitre.org/techniques/T1496/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 7e881adf9b5..ff69827b669 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,26 +2,59 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/02/20" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ This detection identifies a Linux host that has potentially been infected with malware and is being used to conduct -brute-force attacks against external systems over SSH (port 22 and common alternative SSH ports). The detection -looks for a high volume of outbound connection attempts to non-private IP addresses from a single process. A -compromised host may be part of a botnet or controlled by an attacker, attempting to gain unauthorized access -to remote systems. This behavior is commonly observed in SSH brute-force campaigns where malware hijacks -vulnerable machines to expand its attack surface. ES|QL rules have limited fields available in its alert documents. -Make sure to review the original documents to aid in the investigation of this alert. +brute-force attacks against external systems over SSH (port 22 and common alternative SSH ports). The detection looks +for a high volume of outbound connection attempts to non-private IP addresses from a single process. A compromised host +may be part of a botnet or controlled by an attacker, attempting to gain unauthorized access to remote systems. This +behavior is commonly observed in SSH brute-force campaigns where malware hijacks vulnerable machines to expand its +attack surface. ES|QL rules have limited fields available in its alert documents. Make sure to review the original +documents to aid in the investigation of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "Potential Malware-Driven SSH Brute Force Attempt" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Malware-Driven SSH Brute Force Attempt + +SSH is a protocol used to securely access remote systems. Adversaries exploit it by deploying malware on compromised Linux hosts to perform brute-force attacks, attempting unauthorized access to other systems. The detection rule identifies such abuse by monitoring high volumes of outbound SSH connection attempts from a single process to external IPs, indicating potential malware activity. + +### Possible investigation steps + +- Review the process executable identified in the alert to determine if it is a legitimate application or potentially malicious. Check for known malware signatures or unusual file paths. +- Analyze the destination IP addresses involved in the connection attempts to identify if they are known malicious hosts or part of a larger attack infrastructure. Use threat intelligence sources to gather more information. +- Examine the host's recent activity logs to identify any unusual behavior or signs of compromise, such as unexpected process executions or changes in system configurations. +- Investigate the specific agent.id associated with the alert to determine if other alerts or suspicious activities have been reported from the same host, indicating a broader compromise. +- Check for any recent changes or updates to the host's software or configurations that could have introduced vulnerabilities exploited by the malware. +- Assess the network traffic patterns from the host to identify any other unusual outbound connections that may indicate additional malicious activity or data exfiltration attempts. + +### False positive analysis + +- High-volume legitimate SSH operations from a single process can trigger alerts. Exclude known safe processes or scripts that perform frequent SSH operations by adding them to an exception list. +- Automated backup or synchronization tools using SSH to connect to external servers may be misidentified. Identify these tools and exclude their process names or IP addresses from the detection rule. +- Development or testing environments where SSH connections are frequently initiated to external systems for legitimate purposes can cause false positives. Document these environments and adjust the rule to exclude their specific IP ranges or process identifiers. +- Security scanning tools that perform SSH checks on external systems might be flagged. Ensure these tools are recognized and their activities are excluded by specifying their process names or IP addresses in the rule exceptions. + +### Response and remediation + +- Isolate the affected Linux host from the network immediately to prevent further unauthorized access attempts and potential spread of malware to other systems. +- Terminate the suspicious process identified by the detection rule to stop ongoing brute-force attempts and reduce the risk of further compromise. +- Conduct a thorough malware scan on the isolated host using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious software. +- Review and reset credentials for any accounts that may have been targeted or compromised during the brute-force attempts to ensure account security. +- Apply security patches and updates to the affected host and any other vulnerable systems to mitigate known vulnerabilities that could be exploited by similar threats. +- Monitor network traffic for any signs of continued or new suspicious activity, particularly focusing on outbound SSH connections, to detect and respond to any further attempts promptly. +- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to assess the potential impact on the broader network infrastructure. +""" risk_score = 47 rule_id = "77122db4-5876-4127-b91b-6c179eb21f88" setup = """## Setup @@ -58,12 +91,14 @@ tags = [ "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.network-* -| keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id +| keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and destination.port in (22, 222, 2222, 10022, 2022, 2200, 62612, 8022) and not @@ -73,52 +108,52 @@ from logs-endpoint.events.network-* "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8" ) -| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, destination.port +| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.executable, destination.port | where agent_count == 1 and cc > 15 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" - [rule.threat.tactic] - name = "Impact" - id = "TA0040" - reference = "https://attack.mitre.org/tactics/TA0040/" - - [[rule.threat.technique]] - name = "Resource Hijacking" - id = "T1496" - reference = "https://attack.mitre.org/techniques/T1496/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + - [rule.threat.tactic] - id = "TA0011" - name = "Command and Control" - reference = "https://attack.mitre.org/tactics/TA0011/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] - id = "T1071" - name = "Application Layer Protocol" - reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/initial_access_first_time_public_key_authentication.toml b/rules/linux/initial_access_first_time_public_key_authentication.toml index 79f2452eeb7..d4291121e79 100644 --- a/rules/linux/initial_access_first_time_public_key_authentication.toml +++ b/rules/linux/initial_access_first_time_public_key_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -22,6 +22,42 @@ index = ["logs-system.auth-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Successful SSH Authentication from Unusual SSH Public Key" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Successful SSH Authentication from Unusual SSH Public Key + +SSH public key authentication is a secure method for accessing Linux systems, relying on cryptographic keys rather than passwords. Adversaries may exploit this by using stolen or unauthorized keys to gain access. The detection rule identifies successful logins using new public keys, unseen in the past 10 days, signaling potential unauthorized access attempts. This helps in early detection of suspicious activities, aligning with threat tactics like Initial Access. + +### Possible investigation steps + +- Review the specific SSH login event details, focusing on the event.category, event.action, and event.outcome fields to confirm the successful authentication via public key. +- Identify the source IP address and user account associated with the login event to determine if they are known or expected. +- Check the system.auth.ssh.method field to ensure the authentication method was indeed public key and not another method. +- Investigate the history of the public key used for authentication by searching logs for any previous occurrences or related activities within the last 10 days. +- Correlate the event with other security logs or alerts from the same host or user to identify any patterns or additional suspicious activities. +- Assess the risk by considering the context of the login, such as the time of access, the location of the source IP, and any recent changes in user behavior or system configurations. +- If unauthorized access is suspected, initiate incident response procedures, including revoking the public key, notifying affected parties, and conducting a thorough security review of the system. + +### False positive analysis + +- Frequent logins from known automation scripts or services using rotating SSH keys can trigger false positives. To manage this, identify these services and add their public keys to an exception list. +- Developers or system administrators who regularly update their SSH keys for security reasons may cause alerts. Maintain a record of authorized personnel and their key update schedules to exclude these events. +- Temporary access granted to third-party vendors or contractors might appear as unusual activity. Ensure that any temporary access is documented and keys are added to an exception list during the access period. +- Test environments where SSH keys are frequently generated and used for various testing purposes can lead to false positives. Implement a separate monitoring policy for test environments to reduce noise in production alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Revoke the unauthorized SSH public key from the system's authorized_keys file to block further access using that key. +- Conduct a thorough review of recent login activities and system logs to identify any additional unauthorized access or suspicious activities that may have occurred. +- Change passwords and regenerate SSH keys for all legitimate users on the affected system to ensure no compromised credentials remain in use. +- Notify the security team and relevant stakeholders about the incident for awareness and further investigation. +- Implement additional monitoring on the affected system and related network segments to detect any further suspicious activities or attempts to regain access. +- Review and update access control policies and SSH key management practices to prevent similar incidents in the future, ensuring that only authorized keys are allowed and regularly audited. +""" risk_score = 21 rule_id = "267dace3-a4de-4c94-a7b5-dd6c0f5482e5" setup = """## Setup @@ -51,7 +87,8 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml index dc8425e0e83..ba1728e7df7 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -16,6 +16,41 @@ index = ["logs-system.auth-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Successful SSH Authentication from Unusual IP Address" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Successful SSH Authentication from Unusual IP Address + +Secure Shell (SSH) is a protocol used to securely access and manage Linux systems. Adversaries may exploit SSH by using stolen credentials to gain unauthorized access. The detection rule identifies successful logins from IPs not seen in the past 10 days, flagging potential intrusions. This approach helps in spotting unusual access patterns that could indicate compromised accounts. + +### Possible investigation steps + +- Review the IP address flagged in the alert to determine its geolocation and assess if it aligns with expected access patterns for the user account involved. +- Check historical authentication logs for the user account to identify any other unusual or unauthorized access attempts, focusing on the event.category:authentication and event.action:ssh_login fields. +- Investigate the user account's recent activity on the system to identify any suspicious commands or actions executed post-authentication. +- Correlate the flagged IP address with known threat intelligence sources to determine if it is associated with any malicious activity or previously reported incidents. +- Contact the user associated with the account to verify if they recognize the login attempt and if they have recently accessed the system from a new location or device. + +### False positive analysis + +- New employee or contractor access from a previously unseen IP address may trigger the rule. Regularly update the list of known IP addresses for new users to prevent unnecessary alerts. +- Remote workers or employees traveling may log in from different IP addresses. Implement a process to whitelist IP ranges associated with common travel destinations or VPNs used by the organization. +- Automated scripts or services that occasionally run from different IPs can cause false positives. Identify and document these services, then create exceptions for their known IP addresses. +- Cloud-based infrastructure changes, such as new instances or containers, might authenticate from new IPs. Maintain an updated inventory of cloud resources and their expected IP ranges to adjust the rule accordingly. +- Third-party vendors accessing systems for maintenance or support might use different IPs. Establish a protocol for temporary exceptions for vendor IPs during their access periods. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. +- Verify the legitimacy of the login by contacting the account owner to confirm whether the access was authorized. If unauthorized, proceed with further steps. +- Change the password of the compromised account and any other accounts that may have been accessed using the same credentials. +- Review and analyze the system logs for any additional suspicious activity or changes made during the unauthorized access period. +- Escalate the incident to the security operations team for a thorough investigation and to determine if further systems are affected. +- Implement IP whitelisting or geofencing to restrict SSH access to known and trusted IP addresses only. +- Update and enhance monitoring rules to detect similar unauthorized access attempts in the future, ensuring that alerts are promptly reviewed and acted upon. +""" risk_score = 21 rule_id = "5c495612-9992-49a7-afe3-0f647671fb60" setup = """## Setup @@ -45,7 +80,8 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml index b1ca9ab719d..02da411c3c8 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -21,6 +21,41 @@ index = ["logs-system.auth-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Successful SSH Authentication from Unusual User" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Successful SSH Authentication from Unusual User + +SSH (Secure Shell) is a protocol used to securely access and manage Linux systems. Adversaries may exploit valid user accounts to gain unauthorized access, bypassing traditional security measures. The detection rule identifies unusual SSH logins by flagging users who haven't logged in for over 10 days, indicating potential misuse of credentials. This proactive approach helps in early detection of unauthorized access attempts. + +### Possible investigation steps + +- Review the specific user account involved in the alert to determine if the login is expected or authorized, considering the user's typical login patterns and responsibilities. +- Check the source IP address of the SSH login to see if it is recognized or associated with previous legitimate access, or if it appears unusual or suspicious. +- Analyze the timing of the login event to see if it coincides with any known maintenance windows or scheduled activities that could explain the access. +- Investigate any recent changes to the user's account, such as password resets or modifications to permissions, that could indicate potential compromise. +- Correlate the SSH login event with other logs or alerts from the same timeframe to identify any additional suspicious activities or patterns that could suggest a broader security incident. + +### False positive analysis + +- Users returning from extended leave or vacation may trigger the rule. To manage this, create exceptions for users with known absence periods. +- System administrators or service accounts that log in infrequently for maintenance tasks can be excluded by identifying and documenting these accounts. +- Automated scripts or processes that authenticate sporadically might be flagged. Review and whitelist these processes if they are legitimate and necessary for operations. +- Temporary contractors or consultants with limited access periods may cause alerts. Ensure their access is documented and create exceptions for their accounts during their engagement period. +- Accounts used for testing or development purposes that are not regularly active can be excluded by maintaining a list of such accounts and updating it as needed. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. +- Terminate the active SSH session associated with the unusual login to cut off the attacker's access. +- Reset the password for the compromised user account and any other accounts that may have been accessed using the same credentials. +- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional compromised accounts. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or accounts have been affected. +- Implement multi-factor authentication (MFA) for SSH access to enhance security and prevent similar unauthorized access attempts in the future. +- Update and enhance monitoring rules to detect similar unusual login patterns, ensuring early detection of potential threats. +""" risk_score = 21 rule_id = "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d" severity = "low" @@ -29,7 +64,8 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml index c6bed10609b..758bad70443 100644 --- a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml +++ b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/20" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -16,6 +16,42 @@ index = ["logs-endpoint.events.file*", "auditbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote File Creation in World Writeable Directory" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Remote File Creation in World Writeable Directory + +In Linux environments, world-writeable directories like `/tmp` and `/var/tmp` are used for temporary file storage, accessible by all users. Adversaries exploit these directories to deposit malicious files via remote services such as SSH or FTP, facilitating lateral movement. The detection rule identifies file creation events in these directories by non-root users using common file transfer services, signaling potential unauthorized activity. + +### Possible investigation steps + +- Review the file creation event details, focusing on the file path to determine if it matches any known malicious patterns or if it is unusual for the environment. +- Identify the user associated with the file creation event by examining the user.id field, and verify if this user should have access to the affected directory. +- Investigate the process responsible for the file creation by analyzing the process.name field to determine if it aligns with expected usage patterns for the user and system. +- Check the source IP address and connection details related to the file transfer service used (e.g., SSH, FTP) to identify any suspicious or unauthorized access attempts. +- Correlate the event with other recent activities on the host to identify any patterns of lateral movement or other suspicious behavior. +- Review historical data for similar file creation events by the same user or process to assess if this is part of a recurring pattern or an isolated incident. + +### False positive analysis + +- Routine administrative tasks: System administrators often use file transfer services like scp or rsync to move files for legitimate purposes. To reduce false positives, create exceptions for known administrative accounts or specific file paths that are regularly used for maintenance. +- Automated scripts and cron jobs: Automated processes may create temporary files in world-writeable directories. Identify and whitelist these scripts or jobs by their process names or user accounts to prevent unnecessary alerts. +- Software updates and installations: Some software updates or installations may temporarily use world-writeable directories. Monitor and document these activities, and consider excluding specific update processes or package managers from the rule. +- Development and testing environments: Developers may use these directories for testing purposes. Establish a separate monitoring policy for development environments or exclude known developer accounts to minimize false positives. +- Backup operations: Backup tools might use temporary directories for staging files. Identify these tools and their typical behavior, and create exceptions based on their process names or user IDs. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further lateral movement by the adversary. +- Terminate any suspicious processes associated with file transfer services (e.g., scp, ssh, ftp) that are not part of legitimate user activity. +- Remove any unauthorized files created in world-writeable directories such as /tmp, /var/tmp, or /dev/shm to eliminate potential threats. +- Conduct a thorough review of user accounts and permissions, focusing on non-root users who have recently accessed the system, to identify any unauthorized access. +- Reset credentials for compromised or potentially compromised accounts to prevent further unauthorized access. +- Monitor network traffic for unusual patterns or connections to external IP addresses that may indicate ongoing or additional compromise attempts. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been affected, ensuring a coordinated response. +""" risk_score = 47 rule_id = "3e528511-7316-4a6e-83da-61b5f1c07fd4" setup = """## Setup @@ -62,6 +98,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index b111e3b5fc0..5faf68cef08 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,51 @@ Identifies processes that are capable of downloading files with command line arg autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential SSH-IT SSH Worm Downloaded" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential SSH-IT SSH Worm Downloaded + +SSH-IT is an autonomous worm that exploits SSH connections to propagate across networks. It hijacks outgoing SSH sessions, allowing adversaries to move laterally within a compromised environment. Attackers often use tools like curl or wget to download the worm from specific URLs. The detection rule identifies these download attempts by monitoring process activities on Linux systems, focusing on command-line arguments that match known malicious URLs, thereby alerting security teams to potential threats. + +### Possible investigation steps + +- Review the alert details to identify the specific process name (either curl or wget) and the URL involved in the download attempt to confirm it matches one of the known malicious URLs listed in the query. +- Check the process execution context, including the user account under which the process was executed, to determine if it was initiated by a legitimate user or potentially compromised account. +- Investigate the source IP address and hostname of the affected Linux system to understand its role within the network and assess the potential impact of lateral movement. +- Examine the system's SSH logs to identify any unusual or unauthorized SSH connections that may indicate further compromise or lateral movement attempts. +- Analyze the network traffic logs for any outbound connections to the identified malicious URLs to confirm whether the download attempt was successful and if any additional payloads were retrieved. +- Review historical alerts and logs for any previous similar activities on the same host or user account to identify patterns or repeated attempts that may indicate a persistent threat. + +### False positive analysis + +- Legitimate administrative tasks using curl or wget to download files from the internet may trigger the rule. To manage this, security teams can create exceptions for specific URLs or IP addresses known to be safe and frequently accessed by administrators. +- Automated scripts or cron jobs that use curl or wget to download updates or configuration files from trusted internal or external sources might be flagged. Users can whitelist these scripts or the specific URLs they access to prevent unnecessary alerts. +- Development or testing environments where developers frequently download open-source tools or libraries using curl or wget could generate false positives. Implementing a policy to exclude these environments from the rule or setting up a separate monitoring profile for them can help reduce noise. +- Security tools or monitoring solutions that use curl or wget for health checks or data collection might be mistakenly identified. Identifying these tools and excluding their known benign activities from the rule can help maintain focus on genuine threats. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further lateral movement by the SSH-IT worm. +- Terminate any suspicious processes identified as using curl or wget with the malicious URLs to stop the download and execution of the worm. +- Conduct a thorough scan of the isolated host using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any instances of the SSH-IT worm. +- Review and reset credentials for any SSH accounts that may have been compromised, ensuring the use of strong, unique passwords and considering the implementation of multi-factor authentication (MFA). +- Analyze network logs and SSH access logs to identify any lateral movement or unauthorized access attempts, and take steps to secure any other potentially compromised systems. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Update firewall and intrusion detection/prevention system (IDS/IPS) rules to block the known malicious URLs and monitor for any future attempts to access them.""" references = ["https://www.thc.org/ssh-it/"] risk_score = 47 rule_id = "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea" @@ -70,40 +109,6 @@ process where host.os.type == "linux" and event.type == "start" and "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential SSH-IT SSH Worm Downloaded - -SSH-IT is an autonomous worm that exploits SSH connections to propagate across networks. It hijacks outgoing SSH sessions, allowing adversaries to move laterally within a compromised environment. Attackers often use tools like curl or wget to download the worm from specific URLs. The detection rule identifies these download attempts by monitoring process activities on Linux systems, focusing on command-line arguments that match known malicious URLs, thereby alerting security teams to potential threats. - -### Possible investigation steps - -- Review the alert details to identify the specific process name (either curl or wget) and the URL involved in the download attempt to confirm it matches one of the known malicious URLs listed in the query. -- Check the process execution context, including the user account under which the process was executed, to determine if it was initiated by a legitimate user or potentially compromised account. -- Investigate the source IP address and hostname of the affected Linux system to understand its role within the network and assess the potential impact of lateral movement. -- Examine the system's SSH logs to identify any unusual or unauthorized SSH connections that may indicate further compromise or lateral movement attempts. -- Analyze the network traffic logs for any outbound connections to the identified malicious URLs to confirm whether the download attempt was successful and if any additional payloads were retrieved. -- Review historical alerts and logs for any previous similar activities on the same host or user account to identify patterns or repeated attempts that may indicate a persistent threat. - -### False positive analysis - -- Legitimate administrative tasks using curl or wget to download files from the internet may trigger the rule. To manage this, security teams can create exceptions for specific URLs or IP addresses known to be safe and frequently accessed by administrators. -- Automated scripts or cron jobs that use curl or wget to download updates or configuration files from trusted internal or external sources might be flagged. Users can whitelist these scripts or the specific URLs they access to prevent unnecessary alerts. -- Development or testing environments where developers frequently download open-source tools or libraries using curl or wget could generate false positives. Implementing a policy to exclude these environments from the rule or setting up a separate monitoring profile for them can help reduce noise. -- Security tools or monitoring solutions that use curl or wget for health checks or data collection might be mistakenly identified. Identifying these tools and excluding their known benign activities from the rule can help maintain focus on genuine threats. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further lateral movement by the SSH-IT worm. -- Terminate any suspicious processes identified as using curl or wget with the malicious URLs to stop the download and execution of the worm. -- Conduct a thorough scan of the isolated host using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any instances of the SSH-IT worm. -- Review and reset credentials for any SSH accounts that may have been compromised, ensuring the use of strong, unique passwords and considering the implementation of multi-factor authentication (MFA). -- Analyze network logs and SSH access logs to identify any lateral movement or unauthorized access attempts, and take steps to secure any other potentially compromised systems. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Update firewall and intrusion detection/prevention system (IDS/IPS) rules to block the known malicious URLs and monitor for any future attempts to access them.""" [[rule.threat]] diff --git a/rules/linux/lateral_movement_ssh_process_launched_inside_container.toml b/rules/linux/lateral_movement_ssh_process_launched_inside_container.toml new file mode 100644 index 00000000000..90efac94a21 --- /dev/null +++ b/rules/linux/lateral_movement_ssh_process_launched_inside_container.toml @@ -0,0 +1,138 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and +server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With +valid credentials an attacker may move laterally to other containers or to the underlying host through container +breakout. They may also use valid SSH credentials as a persistence mechanism. +""" +false_positives = [ + """ + SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed + to distinguish between authorized and potentially malicious behavior. + """, +] +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "SSH Process Launched From Inside A Container" +references = [ + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", + "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/", +] +risk_score = 47 +rule_id = "5c50ffa6-07f4-4cce-a1b7-c16928a2ed52" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and process.name in ("sshd", "ssh", "autossh") +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SSH Process Launched From Inside A Container + +SSH (Secure Shell) is a protocol used for secure remote access and management of systems. Within container environments, SSH usage is atypical and can signal potential security risks. Adversaries may exploit SSH to move laterally between containers or escape to the host system. The detection rule identifies SSH processes initiated within containers, flagging potential unauthorized access or persistence attempts by monitoring process events and container identifiers. + +### Possible investigation steps + +- Examine the process start event details, including the process name (sshd, ssh, autossh) and event actions (fork, exec), to understand the context and nature of the SSH activity. +- Check for any recent changes or deployments related to the container to identify if the SSH process aligns with expected behavior or recent updates. +- Investigate the source and destination of the SSH connection to determine if it involves unauthorized or suspicious endpoints, potentially indicating lateral movement or an attempt to access the host system. +- Analyze user accounts and credentials used in the SSH session to verify if they are legitimate and authorized for container access, looking for signs of compromised credentials. +- Correlate the SSH activity with other security events or alerts to identify patterns or additional indicators of compromise within the container environment. + +### False positive analysis + +- Development and testing environments may intentionally use SSH for debugging or administrative tasks. Users can create exceptions for specific container IDs or hostnames associated with these environments to reduce noise. +- Automated scripts or orchestration tools might use SSH to manage containers. Identify these tools and exclude their process IDs or user accounts from triggering the rule. +- Some legacy applications might rely on SSH for internal communication. Review these applications and whitelist their specific process names or container images to prevent false alerts. +- Containers running SSH for legitimate remote access purposes, such as maintenance, should be documented. Exclude these containers by their unique identifiers or labels to avoid unnecessary alerts. +- Regularly review and update the exclusion list to ensure it aligns with current operational practices and does not inadvertently allow malicious activity. + +### Response and remediation + +- Immediately isolate the affected container to prevent potential lateral movement or further unauthorized access. This can be done by stopping the container or disconnecting it from the network. +- Conduct a thorough review of the container's logs and environment to identify any unauthorized access or changes. Pay special attention to SSH-related logs and any anomalies in user activity. +- Revoke any SSH keys or credentials that may have been compromised. Ensure that all SSH keys used within the container environment are rotated and that access is restricted to only necessary personnel. +- Assess the container image and configuration for vulnerabilities or misconfigurations that may have allowed the SSH process to be initiated. Patch any identified vulnerabilities and update the container image accordingly. +- Implement network segmentation to limit the ability of containers to communicate with each other and the host system, reducing the risk of lateral movement. +- Enhance monitoring and alerting for SSH activity within container environments to ensure rapid detection of similar threats in the future. This includes setting up alerts for any SSH process initiation within containers. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or containers have been affected.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 68dda3bbad7..25ac5222028 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,6 +23,40 @@ index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs language = "eql" license = "Elastic License v2" name = "Connection to External Network via Telnet" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Connection to External Network via Telnet + +Telnet is a protocol offering a command-line interface for remote communication, often used for device management. However, its lack of encryption makes it vulnerable to interception, allowing adversaries to exploit it for unauthorized access or data exfiltration. The detection rule identifies Telnet connections to external IPs, flagging potential lateral movement by excluding known internal and reserved IP ranges. + +### Possible investigation steps + +- Review the alert details to identify the specific process.entity_id and destination IP address involved in the Telnet connection. +- Verify the legitimacy of the destination IP address by checking if it belongs to a known or trusted external entity, using threat intelligence sources or IP reputation services. +- Investigate the process details associated with the process.entity_id to determine the user account and command line arguments used during the Telnet session. +- Check the system logs and user activity on the host to identify any unusual behavior or unauthorized access attempts around the time of the Telnet connection. +- Assess whether the Telnet connection aligns with expected business operations or if it indicates potential lateral movement or data exfiltration attempts. + +### False positive analysis + +- Internal device management using Telnet may trigger false positives if the destination IPs are not included in the known internal ranges. Users should verify and update the list of internal IP ranges to include any additional internal networks used for legitimate Telnet connections. +- Automated scripts or monitoring tools that use Telnet for legitimate purposes can cause false positives. Identify these scripts and consider creating exceptions for their specific IP addresses or process names to prevent unnecessary alerts. +- Testing environments that simulate external connections for development purposes might be flagged. Ensure that IP addresses used in these environments are documented and excluded from the detection rule to avoid false positives. +- Legacy systems that rely on Telnet for communication with external partners or services may be mistakenly flagged. Review these systems and, if deemed secure, add their IP addresses to an exception list to reduce false alerts. +- Misconfigured network devices that inadvertently use Telnet for external communication can trigger alerts. Regularly audit network configurations and update the detection rule to exclude known benign IPs associated with these devices. + +### Response and remediation + +- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration. +- Terminate any active Telnet sessions on the affected host to stop ongoing malicious activity. +- Conduct a thorough review of the affected system's logs and processes to identify any unauthorized changes or additional compromised accounts. +- Change all passwords associated with the affected system and any other systems that may have been accessed using Telnet. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Implement network segmentation to limit Telnet access to only necessary internal systems and block Telnet traffic to external networks. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" @@ -89,40 +121,6 @@ sequence by process.entity_id ) ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Connection to External Network via Telnet - -Telnet is a protocol offering a command-line interface for remote communication, often used for device management. However, its lack of encryption makes it vulnerable to interception, allowing adversaries to exploit it for unauthorized access or data exfiltration. The detection rule identifies Telnet connections to external IPs, flagging potential lateral movement by excluding known internal and reserved IP ranges. - -### Possible investigation steps - -- Review the alert details to identify the specific process.entity_id and destination IP address involved in the Telnet connection. -- Verify the legitimacy of the destination IP address by checking if it belongs to a known or trusted external entity, using threat intelligence sources or IP reputation services. -- Investigate the process details associated with the process.entity_id to determine the user account and command line arguments used during the Telnet session. -- Check the system logs and user activity on the host to identify any unusual behavior or unauthorized access attempts around the time of the Telnet connection. -- Assess whether the Telnet connection aligns with expected business operations or if it indicates potential lateral movement or data exfiltration attempts. - -### False positive analysis - -- Internal device management using Telnet may trigger false positives if the destination IPs are not included in the known internal ranges. Users should verify and update the list of internal IP ranges to include any additional internal networks used for legitimate Telnet connections. -- Automated scripts or monitoring tools that use Telnet for legitimate purposes can cause false positives. Identify these scripts and consider creating exceptions for their specific IP addresses or process names to prevent unnecessary alerts. -- Testing environments that simulate external connections for development purposes might be flagged. Ensure that IP addresses used in these environments are documented and excluded from the detection rule to avoid false positives. -- Legacy systems that rely on Telnet for communication with external partners or services may be mistakenly flagged. Review these systems and, if deemed secure, add their IP addresses to an exception list to reduce false alerts. -- Misconfigured network devices that inadvertently use Telnet for external communication can trigger alerts. Regularly audit network configurations and update the detection rule to exclude known benign IPs associated with these devices. - -### Response and remediation - -- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration. -- Terminate any active Telnet sessions on the affected host to stop ongoing malicious activity. -- Conduct a thorough review of the affected system's logs and processes to identify any unauthorized changes or additional compromised accounts. -- Change all passwords associated with the affected system and any other systems that may have been accessed using Telnet. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Implement network segmentation to limit Telnet access to only necessary internal systems and block Telnet traffic to external networks. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 107c0a38bc3..e01b71b1232 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,6 +23,41 @@ index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs language = "eql" license = "Elastic License v2" name = "Connection to Internal Network via Telnet" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Connection to Internal Network via Telnet + +Telnet is a protocol offering a command-line interface for remote device management, often used in network environments. Adversaries may exploit Telnet to move laterally within a network, accessing non-public IPs to execute commands or exfiltrate data. The detection rule identifies Telnet connections to internal IP ranges, flagging potential unauthorized access attempts, thus aiding in early threat detection and response. + +### Possible investigation steps + +- Review the process details to confirm the Telnet connection initiation by examining the process.entity_id and process.name fields to ensure the process is indeed Telnet. +- Analyze the destination IP address to determine if it falls within the specified non-public IP ranges, indicating an internal network connection attempt. +- Check the event.type field to verify that the Telnet process event is of type "start", confirming the initiation of a connection. +- Investigate the source host by reviewing host.os.type and other relevant host details to understand the context and legitimacy of the connection attempt. +- Correlate the Telnet activity with any other suspicious network or process activities on the same host to identify potential lateral movement or data exfiltration attempts. +- Consult historical logs and alerts to determine if there have been previous similar Telnet connection attempts from the same source, which might indicate a pattern or ongoing threat. + +### False positive analysis + +- Routine administrative tasks using Telnet within internal networks can trigger false positives. To manage this, create exceptions for known IP addresses or specific user accounts that regularly perform these tasks. +- Automated scripts or monitoring tools that use Telnet for legitimate purposes may be flagged. Identify these scripts and whitelist their associated processes or IP addresses to prevent unnecessary alerts. +- Internal testing environments often simulate network activities, including Telnet connections. Exclude IP ranges associated with these environments to reduce false positives. +- Legacy systems that rely on Telnet for communication might generate alerts. Document these systems and apply exceptions based on their IP addresses or hostnames to avoid repeated false positives. +- Regularly review and update the list of excluded IPs and processes to ensure that only legitimate activities are exempted, maintaining the effectiveness of the detection rule. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further lateral movement or data exfiltration. +- Terminate any active Telnet sessions on the affected host to stop unauthorized access. +- Conduct a thorough review of the affected host's system logs and Telnet session logs to identify any unauthorized commands executed or data accessed. +- Change all credentials that may have been exposed or used during the unauthorized Telnet sessions to prevent further unauthorized access. +- Apply security patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation. +- Implement network segmentation to limit Telnet access to only necessary systems and ensure that Telnet is disabled on systems where it is not required. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" @@ -89,41 +122,6 @@ sequence by process.entity_id ) ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Connection to Internal Network via Telnet - -Telnet is a protocol offering a command-line interface for remote device management, often used in network environments. Adversaries may exploit Telnet to move laterally within a network, accessing non-public IPs to execute commands or exfiltrate data. The detection rule identifies Telnet connections to internal IP ranges, flagging potential unauthorized access attempts, thus aiding in early threat detection and response. - -### Possible investigation steps - -- Review the process details to confirm the Telnet connection initiation by examining the process.entity_id and process.name fields to ensure the process is indeed Telnet. -- Analyze the destination IP address to determine if it falls within the specified non-public IP ranges, indicating an internal network connection attempt. -- Check the event.type field to verify that the Telnet process event is of type "start", confirming the initiation of a connection. -- Investigate the source host by reviewing host.os.type and other relevant host details to understand the context and legitimacy of the connection attempt. -- Correlate the Telnet activity with any other suspicious network or process activities on the same host to identify potential lateral movement or data exfiltration attempts. -- Consult historical logs and alerts to determine if there have been previous similar Telnet connection attempts from the same source, which might indicate a pattern or ongoing threat. - -### False positive analysis - -- Routine administrative tasks using Telnet within internal networks can trigger false positives. To manage this, create exceptions for known IP addresses or specific user accounts that regularly perform these tasks. -- Automated scripts or monitoring tools that use Telnet for legitimate purposes may be flagged. Identify these scripts and whitelist their associated processes or IP addresses to prevent unnecessary alerts. -- Internal testing environments often simulate network activities, including Telnet connections. Exclude IP ranges associated with these environments to reduce false positives. -- Legacy systems that rely on Telnet for communication might generate alerts. Document these systems and apply exceptions based on their IP addresses or hostnames to avoid repeated false positives. -- Regularly review and update the list of excluded IPs and processes to ensure that only legitimate activities are exempted, maintaining the effectiveness of the detection rule. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further lateral movement or data exfiltration. -- Terminate any active Telnet sessions on the affected host to stop unauthorized access. -- Conduct a thorough review of the affected host's system logs and Telnet session logs to identify any unauthorized commands executed or data accessed. -- Change all credentials that may have been exposed or used during the unauthorized Telnet sessions to prevent further unauthorized access. -- Apply security patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation. -- Implement network segmentation to limit Telnet access to only necessary systems and ensure that Telnet is disabled on systems where it is not required. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" [[rule.threat]] diff --git a/rules/linux/lateral_movement_unusual_remote_file_creation.toml b/rules/linux/lateral_movement_unusual_remote_file_creation.toml index c0c045fc73e..778d04d6156 100644 --- a/rules/linux/lateral_movement_unusual_remote_file_creation.toml +++ b/rules/linux/lateral_movement_unusual_remote_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/20" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -17,6 +17,42 @@ index = ["logs-endpoint.events.file*", "auditbeat-*"] language = "kuery" license = "Elastic License v2" name = "Unusual Remote File Creation" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Remote File Creation + +Remote file creation tools like SCP, FTP, and SFTP are essential for transferring files across networks, often used in legitimate administrative tasks. However, adversaries can exploit these services to move laterally within a network, creating files in unauthorized locations. The detection rule identifies suspicious file creation activities by monitoring specific processes and excluding typical paths, thus highlighting potential lateral movement attempts by attackers. + +### Possible investigation steps + +- Review the alert details to identify the specific process name (e.g., scp, ftp, sftp) involved in the file creation event. +- Examine the file path where the file was created to determine if it is an unusual or unauthorized location, considering the exclusion of typical paths like /dev/ptmx, /run/*, or /var/run/*. +- Check the user account associated with the process to verify if it is a legitimate user or if there are signs of compromised credentials. +- Investigate the source and destination IP addresses involved in the file transfer to identify any suspicious or unexpected network connections. +- Analyze recent activity on the host to identify any other unusual or unauthorized actions that may indicate lateral movement or further compromise. +- Correlate this event with other alerts or logs to determine if it is part of a broader attack pattern or campaign within the network. + +### False positive analysis + +- Administrative file transfers: Legitimate administrative tasks often involve transferring files using SCP, FTP, or SFTP. To manage this, create exceptions for known administrative accounts or specific IP addresses that regularly perform these tasks. +- Automated backup processes: Scheduled backups may use tools like rsync or sftp-server to create files remotely. Identify and exclude these processes by specifying the paths or scripts involved in the backup operations. +- System updates and patches: Some system updates might involve remote file creation in non-standard directories. Monitor update schedules and exclude these activities by correlating them with known update events. +- Development and testing environments: Developers may use remote file transfer services to deploy or test applications. Establish a baseline of typical development activities and exclude these from alerts by defining specific user accounts or project directories. +- Third-party integrations: Some third-party applications might require remote file creation as part of their functionality. Document these integrations and exclude their associated processes or file paths from triggering alerts. + +### Response and remediation + +- Isolate the affected host immediately to prevent further lateral movement within the network. This can be done by removing the host from the network or applying network segmentation controls. +- Terminate any suspicious processes identified in the alert, such as scp, ftp, sftp, vsftpd, sftp-server, or sync, to stop unauthorized file transfers. +- Conduct a thorough review of the file paths and files created to determine if any sensitive data has been compromised or if any malicious files have been introduced. +- Restore any unauthorized or malicious file changes from known good backups to ensure system integrity. +- Update and patch the affected systems to close any vulnerabilities that may have been exploited by the attacker. +- Implement stricter access controls and authentication mechanisms for remote file transfer services to prevent unauthorized use. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised. +""" risk_score = 47 rule_id = "ed3fedc3-dd10-45a5-a485-34a8b48cea46" setup = """## Setup @@ -63,6 +99,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 625d5d4de54..4e477752c24 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,6 +18,41 @@ index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious APT Package Manager Execution + +The APT package manager is a vital tool for managing software on Debian-based Linux systems, handling tasks like installation and updates. Adversaries may exploit APT by embedding malicious scripts to maintain persistence and control. The detection rule identifies unusual shell or script executions initiated by APT, signaling potential backdoor activities, thus aiding in early threat detection and response. + +### Possible investigation steps + +- Review the process execution details to identify the specific shell or script that was executed with APT as the parent process. Pay attention to the process names and arguments, such as "bash", "dash", "sh", etc., and the presence of the "-c" argument. +- Examine the command-line arguments and scripts executed by the suspicious process to determine if they contain any malicious or unexpected commands. +- Check the parent process details, specifically the APT process, to understand the context in which the shell or script was executed. This includes reviewing any recent package installations or updates that might have triggered the execution. +- Investigate the user account under which the suspicious process was executed to assess if it has been compromised or if it has elevated privileges that could be exploited. +- Correlate the event with other security logs or alerts from the same host to identify any additional indicators of compromise or related suspicious activities. +- Review the system's package management logs to identify any recent changes or anomalies in package installations or updates that could be linked to the suspicious execution. + +### False positive analysis + +- Legitimate administrative scripts executed by system administrators using APT may trigger the rule. To handle this, identify and document routine administrative tasks and create exceptions for these specific scripts or commands. +- Automated system maintenance scripts that use APT for updates or installations can be mistaken for suspicious activity. Review and whitelist these scripts by their specific command patterns or script names. +- Custom software deployment processes that involve APT and shell scripts might be flagged. Analyze these processes and exclude them by defining clear criteria for legitimate deployment activities. +- Security tools or monitoring solutions that interact with APT for scanning or auditing purposes may cause false positives. Verify these tools' operations and exclude their known benign processes from triggering the rule. +- Development environments where developers frequently use APT and shell scripts for testing and building software can lead to alerts. Establish a baseline of normal development activities and exclude these from the detection rule. + +### Response and remediation + +- Isolate the affected host immediately to prevent further unauthorized access or lateral movement within the network. +- Terminate any suspicious processes identified in the alert, particularly those initiated by the APT package manager that match the query criteria. +- Conduct a thorough review of the APT configuration files and scripts to identify and remove any injected malicious code or unauthorized modifications. +- Restore the affected system from a known good backup if malicious modifications are extensive or if the integrity of the system cannot be assured. +- Update all system packages and apply security patches to mitigate vulnerabilities that may have been exploited by the adversary. +- Monitor the affected host and network for any signs of re-infection or further suspicious activity, focusing on the execution of shell scripts and unauthorized network connections. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised.""" references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 47 rule_id = "ad959eeb-2b7b-4722-ba08-a45f6622f005" @@ -76,41 +109,6 @@ sequence by host.id with maxspan=5s ) ] by process.parent.entity_id ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious APT Package Manager Execution - -The APT package manager is a vital tool for managing software on Debian-based Linux systems, handling tasks like installation and updates. Adversaries may exploit APT by embedding malicious scripts to maintain persistence and control. The detection rule identifies unusual shell or script executions initiated by APT, signaling potential backdoor activities, thus aiding in early threat detection and response. - -### Possible investigation steps - -- Review the process execution details to identify the specific shell or script that was executed with APT as the parent process. Pay attention to the process names and arguments, such as "bash", "dash", "sh", etc., and the presence of the "-c" argument. -- Examine the command-line arguments and scripts executed by the suspicious process to determine if they contain any malicious or unexpected commands. -- Check the parent process details, specifically the APT process, to understand the context in which the shell or script was executed. This includes reviewing any recent package installations or updates that might have triggered the execution. -- Investigate the user account under which the suspicious process was executed to assess if it has been compromised or if it has elevated privileges that could be exploited. -- Correlate the event with other security logs or alerts from the same host to identify any additional indicators of compromise or related suspicious activities. -- Review the system's package management logs to identify any recent changes or anomalies in package installations or updates that could be linked to the suspicious execution. - -### False positive analysis - -- Legitimate administrative scripts executed by system administrators using APT may trigger the rule. To handle this, identify and document routine administrative tasks and create exceptions for these specific scripts or commands. -- Automated system maintenance scripts that use APT for updates or installations can be mistaken for suspicious activity. Review and whitelist these scripts by their specific command patterns or script names. -- Custom software deployment processes that involve APT and shell scripts might be flagged. Analyze these processes and exclude them by defining clear criteria for legitimate deployment activities. -- Security tools or monitoring solutions that interact with APT for scanning or auditing purposes may cause false positives. Verify these tools' operations and exclude their known benign processes from triggering the rule. -- Development environments where developers frequently use APT and shell scripts for testing and building software can lead to alerts. Establish a baseline of normal development activities and exclude these from the detection rule. - -### Response and remediation - -- Isolate the affected host immediately to prevent further unauthorized access or lateral movement within the network. -- Terminate any suspicious processes identified in the alert, particularly those initiated by the APT package manager that match the query criteria. -- Conduct a thorough review of the APT configuration files and scripts to identify and remove any injected malicious code or unauthorized modifications. -- Restore the affected system from a known good backup if malicious modifications are extensive or if the integrity of the system cannot be assured. -- Update all system packages and apply security patches to mitigate vulnerabilities that may have been exploited by the adversary. -- Monitor the affected host and network for any signs of re-infection or further suspicious activity, focusing on the execution of shell scripts and unauthorized network connections. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised.""" [[rule.threat]] diff --git a/rules/linux/persistence_boot_file_copy.toml b/rules/linux/persistence_boot_file_copy.toml index 2fc76720e24..f243084744a 100644 --- a/rules/linux/persistence_boot_file_copy.toml +++ b/rules/linux/persistence_boot_file_copy.toml @@ -2,17 +2,15 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects the process of copying or moving files from or to the `/boot` directory on Linux systems. The -`/boot` directory contains files that are essential for the system to boot, such as the kernel and initramfs -images. Attackers may copy or move files to the `/boot` directory to modify the boot process, which can be -leveraged to maintain access to the system. +This rule detects the process of copying or moving files from or to the `/boot` directory on Linux systems. The `/boot` +directory contains files that are essential for the system to boot, such as the kernel and initramfs images. Attackers +may copy or move files to the `/boot` directory to modify the boot process, which can be leveraged to maintain access to +the system. """ from = "now-9m" index = [ @@ -21,11 +19,44 @@ index = [ "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", - "logs-sentinel_one_cloud_funnel.*" + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" name = "Boot File Copy" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Boot File Copy +The `/boot` directory in Linux systems is crucial for storing files necessary for booting, such as the kernel. Adversaries may exploit this by copying or moving files to alter the boot process, potentially gaining persistent access. The 'Boot File Copy' detection rule identifies suspicious file operations in this directory, excluding legitimate processes, to flag potential unauthorized modifications. + +### Possible investigation steps + +- Review the process details to identify the specific file operation by examining the process name and arguments, particularly focusing on the use of 'cp' or 'mv' commands with paths involving '/boot/*'. +- Investigate the parent process executable and name to determine if the operation was initiated by a known legitimate process or script, ensuring it is not one of the excluded processes like 'update-initramfs' or 'grub-mkconfig'. +- Check the user account associated with the process to assess whether it is a privileged account and if the activity aligns with typical user behavior. +- Analyze recent system logs and audit records for any other suspicious activities or anomalies around the time of the alert to identify potential patterns or related events. +- Verify the integrity and authenticity of the files in the /boot directory to ensure no unauthorized modifications have been made, focusing on critical files like the kernel and initramfs images. +- If possible, correlate the alert with other data sources such as Elastic Endgame or Crowdstrike to gather additional context and confirm whether this is part of a broader attack pattern. + +### False positive analysis + +- System updates and maintenance tasks often involve legitimate processes that interact with the /boot directory. Processes like update-initramfs, dracut, and grub-mkconfig are common during these operations. Users can exclude these processes by adding them to the exception list in the detection rule. +- Custom scripts or administrative tasks that require copying or moving files to the /boot directory may trigger false positives. Identify these scripts and add their parent process names or paths to the exclusion criteria. +- Package management operations, such as those involving dpkg or rpm, may also interact with the /boot directory. Exclude paths like /var/lib/dpkg/info/* and /var/tmp/rpm-tmp.* to prevent these from being flagged. +- Temporary system recovery or installation processes might use directories like /tmp/newroot. Exclude these paths to avoid unnecessary alerts during legitimate recovery operations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. +- Terminate any suspicious processes identified by the detection rule, specifically those involving unauthorized 'cp' or 'mv' operations in the /boot directory. +- Conduct a thorough review of the /boot directory to identify and remove any unauthorized files or modifications. Restore any altered files from a known good backup if necessary. +- Check for any unauthorized changes to boot configuration files, such as GRUB or LILO, and restore them to their original state. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized access attempts or modifications. +- Review and update access controls and permissions for the /boot directory to ensure only authorized processes and users can make changes.""" risk_score = 21 rule_id = "5bda8597-69a6-4b9e-87a2-69a7c963ea83" setup = """## Setup @@ -64,6 +95,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and @@ -73,43 +105,10 @@ process.name in ("cp", "mv") and process.parent.executable != null and process.a process.parent.args like~ ("/usr/bin/mkinitcpio", "/var/tmp/rpm-tmp.*") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Boot File Copy -The `/boot` directory in Linux systems is crucial for storing files necessary for booting, such as the kernel. Adversaries may exploit this by copying or moving files to alter the boot process, potentially gaining persistent access. The 'Boot File Copy' detection rule identifies suspicious file operations in this directory, excluding legitimate processes, to flag potential unauthorized modifications. - -### Possible investigation steps - -- Review the process details to identify the specific file operation by examining the process name and arguments, particularly focusing on the use of 'cp' or 'mv' commands with paths involving '/boot/*'. -- Investigate the parent process executable and name to determine if the operation was initiated by a known legitimate process or script, ensuring it is not one of the excluded processes like 'update-initramfs' or 'grub-mkconfig'. -- Check the user account associated with the process to assess whether it is a privileged account and if the activity aligns with typical user behavior. -- Analyze recent system logs and audit records for any other suspicious activities or anomalies around the time of the alert to identify potential patterns or related events. -- Verify the integrity and authenticity of the files in the /boot directory to ensure no unauthorized modifications have been made, focusing on critical files like the kernel and initramfs images. -- If possible, correlate the alert with other data sources such as Elastic Endgame or Crowdstrike to gather additional context and confirm whether this is part of a broader attack pattern. - -### False positive analysis - -- System updates and maintenance tasks often involve legitimate processes that interact with the /boot directory. Processes like update-initramfs, dracut, and grub-mkconfig are common during these operations. Users can exclude these processes by adding them to the exception list in the detection rule. -- Custom scripts or administrative tasks that require copying or moving files to the /boot directory may trigger false positives. Identify these scripts and add their parent process names or paths to the exclusion criteria. -- Package management operations, such as those involving dpkg or rpm, may also interact with the /boot directory. Exclude paths like /var/lib/dpkg/info/* and /var/tmp/rpm-tmp.* to prevent these from being flagged. -- Temporary system recovery or installation processes might use directories like /tmp/newroot. Exclude these paths to avoid unnecessary alerts during legitimate recovery operations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. -- Terminate any suspicious processes identified by the detection rule, specifically those involving unauthorized 'cp' or 'mv' operations in the /boot directory. -- Conduct a thorough review of the /boot directory to identify and remove any unauthorized files or modifications. Restore any altered files from a known good backup if necessary. -- Check for any unauthorized changes to boot configuration files, such as GRUB or LILO, and restore them to their original state. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized access attempts or modifications. -- Review and update access controls and permissions for the /boot directory to ensure only authorized processes and users can make changes.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -125,29 +124,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -155,3 +153,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 2a908cda88a..56bd686bc5f 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -176,6 +174,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start") and ( @@ -188,15 +187,17 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event", ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml index cf7b3a78f60..81d20357dd7 100644 --- a/rules/linux/persistence_dbus_service_creation.toml +++ b/rules/linux/persistence_dbus_service_creation.toml @@ -2,24 +2,57 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects the creation of D-Bus service files on Linux systems. D-Bus is a message bus system that provides -a way for applications to talk to one another. D-Bus services are defined in service files that are typically -located in default directories. The rule looks for the creation of service files that are not associated with -known package managers or system services. Attackers may create malicious D-Bus services to establish persistence -or escalate privileges on a system. +This rule detects the creation of D-Bus service files on Linux systems. D-Bus is a message bus system that provides a +way for applications to talk to one another. D-Bus services are defined in service files that are typically located in +default directories. The rule looks for the creation of service files that are not associated with known package +managers or system services. Attackers may create malicious D-Bus services to establish persistence or escalate +privileges on a system. """ from = "now-9m" index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "D-Bus Service Created" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating D-Bus Service Created + +D-Bus is an inter-process communication system in Linux, enabling applications to communicate. Adversaries may exploit D-Bus by creating unauthorized service files to maintain persistence or escalate privileges. The detection rule identifies suspicious service file creations in key directories, excluding known legitimate processes, to flag potential malicious activity. + +### Possible investigation steps + +- Review the file path and extension to confirm if the created file is located in one of the monitored directories such as /usr/share/dbus-1/system-services/ or /etc/dbus-1/system.d/, and ensure it has a .service or .conf extension. +- Examine the process executable that created the file to determine if it is listed as a known legitimate process in the exclusion list. If not, investigate the process further to understand its origin and purpose. +- Check the process name and path for any unusual or unexpected patterns, especially if it is not part of the known exclusions like ssm-agent-worker or platform-python*. +- Investigate the file creation time and correlate it with other system activities or logs to identify any suspicious behavior or patterns around the time of the alert. +- Look into the user account associated with the process that created the file to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior. +- Search for any related alerts or logs that might indicate a broader attack pattern, such as other unauthorized file creations or modifications in the system. + +### False positive analysis + +- Package manager operations can trigger false positives when legitimate service files are created during software installations or updates. To manage this, exclude processes associated with known package managers like dpkg, rpm, and yum from the detection rule. +- System service updates may also result in false positives. Exclude processes such as systemd and crond that are responsible for legitimate system service management. +- Development and testing environments often involve the creation of temporary or test service files. Exclude paths and processes specific to these environments, such as those under /tmp or /dev/fd, to reduce noise. +- Automation tools like Puppet and Chef can create service files as part of their configuration management tasks. Exclude these tools by adding their executable paths to the exception list. +- Custom scripts or tools that mimic package manager behavior might also cause false positives. Identify and exclude these specific scripts or tools by their process names or paths if they are known to be benign. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes associated with the creation of unauthorized D-Bus service files to halt potential malicious activity. +- Remove any unauthorized D-Bus service files identified in the specified directories to eliminate persistence mechanisms. +- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred. +- Restore the system from a known good backup if unauthorized changes or damage to the system are detected. +- Monitor the system and network for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" risk_score = 21 rule_id = "952c92af-d67f-4f01-8a9c-725efefa7e07" setup = """## Setup @@ -61,6 +94,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.extension in ("service", "conf") and file.path like~ ( @@ -96,64 +130,30 @@ file.extension in ("service", "conf") and file.path like~ ( (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating D-Bus Service Created - -D-Bus is an inter-process communication system in Linux, enabling applications to communicate. Adversaries may exploit D-Bus by creating unauthorized service files to maintain persistence or escalate privileges. The detection rule identifies suspicious service file creations in key directories, excluding known legitimate processes, to flag potential malicious activity. - -### Possible investigation steps - -- Review the file path and extension to confirm if the created file is located in one of the monitored directories such as /usr/share/dbus-1/system-services/ or /etc/dbus-1/system.d/, and ensure it has a .service or .conf extension. -- Examine the process executable that created the file to determine if it is listed as a known legitimate process in the exclusion list. If not, investigate the process further to understand its origin and purpose. -- Check the process name and path for any unusual or unexpected patterns, especially if it is not part of the known exclusions like ssm-agent-worker or platform-python*. -- Investigate the file creation time and correlate it with other system activities or logs to identify any suspicious behavior or patterns around the time of the alert. -- Look into the user account associated with the process that created the file to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior. -- Search for any related alerts or logs that might indicate a broader attack pattern, such as other unauthorized file creations or modifications in the system. - -### False positive analysis - -- Package manager operations can trigger false positives when legitimate service files are created during software installations or updates. To manage this, exclude processes associated with known package managers like dpkg, rpm, and yum from the detection rule. -- System service updates may also result in false positives. Exclude processes such as systemd and crond that are responsible for legitimate system service management. -- Development and testing environments often involve the creation of temporary or test service files. Exclude paths and processes specific to these environments, such as those under /tmp or /dev/fd, to reduce noise. -- Automation tools like Puppet and Chef can create service files as part of their configuration management tasks. Exclude these tools by adding their executable paths to the exception list. -- Custom scripts or tools that mimic package manager behavior might also cause false positives. Identify and exclude these specific scripts or tools by their process names or paths if they are known to be benign. -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes associated with the creation of unauthorized D-Bus service files to halt potential malicious activity. -- Remove any unauthorized D-Bus service files identified in the specified directories to eliminate persistence mechanisms. -- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred. -- Restore the system from a known good backup if unauthorized changes or damage to the system are detected. -- Monitor the system and network for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml index 3ed85e11d02..219d9888e23 100644 --- a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +++ b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml @@ -2,22 +2,55 @@ creation_date = "2025/01/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ This rule detects when an unusual child process is spawned from the `dbus-daemon` parent process. The `dbus-daemon` -process is a message bus system that provides a way for applications to talk to each other. Attackers may abuse -this process to execute malicious code or escalate privileges. +process is a message bus system that provides a way for applications to talk to each other. Attackers may abuse this +process to execute malicious code or escalate privileges. """ from = "now-9m" index = ["logs-endpoint.events.process*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unusual D-Bus Daemon Child Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual D-Bus Daemon Child Process + +The D-Bus daemon is a crucial component in Linux environments, facilitating inter-process communication by allowing applications to exchange information. Adversaries may exploit this by spawning unauthorized child processes to execute malicious code or gain elevated privileges. The detection rule identifies anomalies by monitoring child processes of the D-Bus daemon, excluding known benign processes and paths, thus highlighting potential threats. + +### Possible investigation steps + +- Review the process details to identify the unusual child process spawned from the dbus-daemon, focusing on the process name and executable path to determine if it is known or potentially malicious. +- Examine the command-line arguments (process.args) of the unusual child process to understand its intended function and assess if it aligns with typical usage patterns. +- Investigate the parent process arguments (process.parent.args) to confirm whether the dbus-daemon was running in a session context or another mode that might explain the unusual child process. +- Check the process start time and correlate it with other system events or logs to identify any related activities or anomalies occurring around the same time. +- Look into the user context under which the unusual child process was executed to determine if it was initiated by a legitimate user or potentially compromised account. +- Search for any network connections or file modifications associated with the unusual child process to identify potential data exfiltration or lateral movement activities. + +### False positive analysis + +- Known benign processes such as gnome-keyring-daemon and abrt-dbus may trigger the rule. Users can exclude these processes by adding them to the exception list in the detection rule. +- Processes executed from common library paths like /usr/lib/ or /usr/local/lib/ are typically non-threatening. Users should review these paths and consider excluding them if they are consistently generating false positives. +- The dbus-daemon with the --session argument is generally safe. Users can ensure this argument is included in the exception criteria to prevent unnecessary alerts. +- Specific applications like software-properties-dbus and serviceHelper.py are known to be benign. Users should verify these applications' legitimacy in their environment and exclude them if they are frequently flagged. +- Regularly review and update the exception list to include any new benign processes or paths that are identified over time, ensuring the rule remains effective without generating excessive false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate any suspicious child processes spawned by the dbus-daemon that are not recognized as legitimate or necessary for system operations. +- Conduct a thorough review of the affected system's logs to identify any unauthorized access or changes made by the suspicious process. +- Restore any altered or compromised system files from a known good backup to ensure system integrity. +- Update and patch the affected system and any related software to close vulnerabilities that may have been exploited. +- Implement stricter access controls and monitoring on the dbus-daemon to prevent unauthorized process execution in the future. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" risk_score = 21 rule_id = "9705b458-689a-4ec6-afe8-b4648d090612" setup = """## Setup @@ -60,6 +93,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.parent.name == "dbus-daemon" and process.args_count > 1 and not ( @@ -69,82 +103,47 @@ process.parent.name == "dbus-daemon" and process.args_count > 1 and not ( process.executable like~ ("/usr/lib/*", "/usr/local/lib/*", "/usr/libexec/*", "/tmp/newroot/*") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual D-Bus Daemon Child Process - -The D-Bus daemon is a crucial component in Linux environments, facilitating inter-process communication by allowing applications to exchange information. Adversaries may exploit this by spawning unauthorized child processes to execute malicious code or gain elevated privileges. The detection rule identifies anomalies by monitoring child processes of the D-Bus daemon, excluding known benign processes and paths, thus highlighting potential threats. - -### Possible investigation steps - -- Review the process details to identify the unusual child process spawned from the dbus-daemon, focusing on the process name and executable path to determine if it is known or potentially malicious. -- Examine the command-line arguments (process.args) of the unusual child process to understand its intended function and assess if it aligns with typical usage patterns. -- Investigate the parent process arguments (process.parent.args) to confirm whether the dbus-daemon was running in a session context or another mode that might explain the unusual child process. -- Check the process start time and correlate it with other system events or logs to identify any related activities or anomalies occurring around the same time. -- Look into the user context under which the unusual child process was executed to determine if it was initiated by a legitimate user or potentially compromised account. -- Search for any network connections or file modifications associated with the unusual child process to identify potential data exfiltration or lateral movement activities. - -### False positive analysis - -- Known benign processes such as gnome-keyring-daemon and abrt-dbus may trigger the rule. Users can exclude these processes by adding them to the exception list in the detection rule. -- Processes executed from common library paths like /usr/lib/ or /usr/local/lib/ are typically non-threatening. Users should review these paths and consider excluding them if they are consistently generating false positives. -- The dbus-daemon with the --session argument is generally safe. Users can ensure this argument is included in the exception criteria to prevent unnecessary alerts. -- Specific applications like software-properties-dbus and serviceHelper.py are known to be benign. Users should verify these applications' legitimacy in their environment and exclude them if they are frequently flagged. -- Regularly review and update the exception list to include any new benign processes or paths that are identified over time, ensuring the rule remains effective without generating excessive false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. -- Terminate any suspicious child processes spawned by the dbus-daemon that are not recognized as legitimate or necessary for system operations. -- Conduct a thorough review of the affected system's logs to identify any unauthorized access or changes made by the suspicious process. -- Restore any altered or compromised system files from a known good backup to ensure system integrity. -- Update and patch the affected system and any related software to close vulnerabilities that may have been exploited. -- Implement stricter access controls and monitoring on the dbus-daemon to prevent unauthorized process execution in the future. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index 44b04b6286d..bbf353ca4cf 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,6 +18,42 @@ index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endg language = "eql" license = "Elastic License v2" name = "DNF Package Manager Plugin File Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating DNF Package Manager Plugin File Creation + +DNF, a package manager for Fedora-based Linux systems, manages software installations and updates. It uses plugins to extend functionality, which can be targeted by attackers to insert malicious code, ensuring persistence and evasion. The detection rule monitors file creation in plugin directories, excluding legitimate processes, to identify unauthorized modifications indicative of potential backdoor activities. + +### Possible investigation steps + +- Review the file creation event details, focusing on the file path to confirm if it matches the monitored plugin directories: "/usr/lib/python*/site-packages/dnf-plugins/*" or "/etc/dnf/plugins/*". +- Identify the process responsible for the file creation by examining the process.executable field, ensuring it is not one of the legitimate processes listed in the exclusion criteria. +- Check the file extension of the newly created file to ensure it is not one of the excluded extensions like "swp", "swpx", or "swx". +- Investigate the origin and legitimacy of the process by reviewing its parent process and command line arguments to determine if it aligns with expected behavior. +- Correlate the event with any recent changes or updates in the system that might explain the file creation, such as package installations or system updates. +- Search for any additional suspicious activity or anomalies in the system logs around the time of the alert to identify potential indicators of compromise. +- If the file creation is deemed suspicious, consider isolating the affected system and conducting a deeper forensic analysis to assess the scope and impact of the potential threat. + +### False positive analysis + +- Legitimate software updates or installations may trigger file creation events in the DNF plugin directories. Users can mitigate this by ensuring that the processes involved in these updates are included in the exclusion list of the detection rule. +- System maintenance scripts or automated tasks that modify or create files in the plugin directories can be mistaken for malicious activity. To handle this, identify these scripts and add their executables to the exclusion list. +- Temporary files created by text editors or system processes, such as those with extensions like "swp", "swpx", or "swx", can be excluded by ensuring these extensions are part of the rule's exclusion criteria. +- Custom scripts or tools that interact with DNF plugins for legitimate purposes should be reviewed and, if deemed safe, their executables should be added to the exclusion list to prevent false positives. +- Processes running from directories like "/nix/store/*" or "/var/lib/dpkg/*" may be part of legitimate package management activities. Users should verify these processes and include them in the exclusion list if they are non-threatening. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. +- Conduct a thorough review of the newly created or modified files in the DNF plugin directories to identify any malicious code or unauthorized changes. +- Remove any identified malicious files or code from the DNF plugin directories to eliminate the backdoor and restore the integrity of the package manager. +- Revert any unauthorized changes to the system configuration or software settings to their original state using verified backups or system snapshots. +- Update all system packages and plugins to the latest versions to patch any vulnerabilities that may have been exploited by the attacker. +- Monitor the affected system and network for any signs of continued unauthorized access or suspicious activity, using enhanced logging and alerting mechanisms. +- Escalate the incident to the appropriate internal security team or external cybersecurity experts for further investigation and to ensure comprehensive remediation.""" references = [ "https://pwnshift.github.io/2020/10/01/persistence.html", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", @@ -91,42 +125,6 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* process.name like~ ("ssm-agent-worker, NinjaOrbit", "python*") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating DNF Package Manager Plugin File Creation - -DNF, a package manager for Fedora-based Linux systems, manages software installations and updates. It uses plugins to extend functionality, which can be targeted by attackers to insert malicious code, ensuring persistence and evasion. The detection rule monitors file creation in plugin directories, excluding legitimate processes, to identify unauthorized modifications indicative of potential backdoor activities. - -### Possible investigation steps - -- Review the file creation event details, focusing on the file path to confirm if it matches the monitored plugin directories: "/usr/lib/python*/site-packages/dnf-plugins/*" or "/etc/dnf/plugins/*". -- Identify the process responsible for the file creation by examining the process.executable field, ensuring it is not one of the legitimate processes listed in the exclusion criteria. -- Check the file extension of the newly created file to ensure it is not one of the excluded extensions like "swp", "swpx", or "swx". -- Investigate the origin and legitimacy of the process by reviewing its parent process and command line arguments to determine if it aligns with expected behavior. -- Correlate the event with any recent changes or updates in the system that might explain the file creation, such as package installations or system updates. -- Search for any additional suspicious activity or anomalies in the system logs around the time of the alert to identify potential indicators of compromise. -- If the file creation is deemed suspicious, consider isolating the affected system and conducting a deeper forensic analysis to assess the scope and impact of the potential threat. - -### False positive analysis - -- Legitimate software updates or installations may trigger file creation events in the DNF plugin directories. Users can mitigate this by ensuring that the processes involved in these updates are included in the exclusion list of the detection rule. -- System maintenance scripts or automated tasks that modify or create files in the plugin directories can be mistaken for malicious activity. To handle this, identify these scripts and add their executables to the exclusion list. -- Temporary files created by text editors or system processes, such as those with extensions like "swp", "swpx", or "swx", can be excluded by ensuring these extensions are part of the rule's exclusion criteria. -- Custom scripts or tools that interact with DNF plugins for legitimate purposes should be reviewed and, if deemed safe, their executables should be added to the exclusion list to prevent false positives. -- Processes running from directories like "/nix/store/*" or "/var/lib/dpkg/*" may be part of legitimate package management activities. Users should verify these processes and include them in the exclusion list if they are non-threatening. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. -- Conduct a thorough review of the newly created or modified files in the DNF plugin directories to identify any malicious code or unauthorized changes. -- Remove any identified malicious files or code from the DNF plugin directories to eliminate the backdoor and restore the integrity of the package manager. -- Revert any unauthorized changes to the system configuration or software settings to their original state using verified backups or system snapshots. -- Update all system packages and plugins to the latest versions to patch any vulnerabilities that may have been exploited by the attacker. -- Monitor the affected system and network for any signs of continued unauthorized access or suspicious activity, using enhanced logging and alerting mechanisms. -- Escalate the incident to the appropriate internal security team or external cybersecurity experts for further investigation and to ensure comprehensive remediation.""" [[rule.threat]] diff --git a/rules/linux/persistence_dracut_module_creation.toml b/rules/linux/persistence_dracut_module_creation.toml index 80ce775951a..7f2207cd93f 100644 --- a/rules/linux/persistence_dracut_module_creation.toml +++ b/rules/linux/persistence_dracut_module_creation.toml @@ -2,23 +2,56 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects the creation of Dracut module files on Linux systems. Dracut is a tool used to generate an -initramfs image that is used to boot the system. Dracut modules are scripts that are executed during the -initramfs image generation process. Attackers may create malicious Dracut modules to execute arbitrary code -at boot time, which can be leveraged to maintain persistence on a Linux system. +This rule detects the creation of Dracut module files on Linux systems. Dracut is a tool used to generate an initramfs +image that is used to boot the system. Dracut modules are scripts that are executed during the initramfs image +generation process. Attackers may create malicious Dracut modules to execute arbitrary code at boot time, which can be +leveraged to maintain persistence on a Linux system. """ from = "now-9m" index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Dracut Module Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Dracut Module Creation + +Dracut is a utility for generating initramfs images, crucial for booting Linux systems. It uses modules, which are scripts executed during image creation. Adversaries may exploit this by crafting malicious modules to execute code at boot, ensuring persistence. The detection rule identifies unauthorized module creation by monitoring file paths and excluding known legitimate processes, helping to flag potential threats. + +### Possible investigation steps + +- Review the file path of the created Dracut module to determine if it matches known legitimate paths or if it appears suspicious, focusing on paths like "/lib/dracut/modules.d/*" and "/usr/lib/dracut/modules.d/*". +- Identify the process that created the Dracut module by examining the process.executable field, and verify if it is listed in the known legitimate processes or if it is an unexpected process. +- Check the file extension of the created module to ensure it is not one of the excluded extensions such as "swp", "swpx", "swx", or "dpkg-remove". +- Investigate the history and behavior of the process that created the module, including its parent process and any associated network activity, to assess if it has been involved in other suspicious activities. +- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that might suggest malicious activity. +- Consult threat intelligence sources to determine if there are any known threats or campaigns associated with the process or file path involved in the alert. + +### False positive analysis + +- Package managers like dpkg, rpm, and yum may trigger false positives when they update or install packages. To handle this, ensure these processes are included in the exclusion list within the detection rule. +- Automated system management tools such as Puppet, Chef, and Ansible can create or modify Dracut modules as part of their configuration management tasks. Add these tools to the exclusion list to prevent false alerts. +- System updates or maintenance scripts that run as part of regular system operations might be flagged. Review these scripts and add their executables to the exclusion list if they are verified as non-threatening. +- Custom scripts or applications that interact with Dracut modules for legitimate purposes should be reviewed and, if deemed safe, added to the exclusion list to avoid unnecessary alerts. +- Temporary files or backup files with extensions like swp or dpkg-remove may be mistakenly flagged. Ensure these extensions are included in the exclusion criteria to reduce false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Conduct a thorough review of the Dracut module files located in the specified directories (/lib/dracut/modules.d/*, /usr/lib/dracut/modules.d/*) to identify and remove any unauthorized or suspicious modules. +- Restore the system from a known good backup if malicious Dracut modules are confirmed, ensuring that the backup predates the unauthorized changes. +- Implement additional monitoring on the affected system to detect any further unauthorized Dracut module creation or other suspicious activities. +- Review and tighten access controls and permissions for the directories and processes involved in Dracut module creation to prevent unauthorized modifications. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Update and enhance detection capabilities to include alerts for any future unauthorized Dracut module creation attempts, leveraging the specific indicators identified in this incident.""" risk_score = 21 rule_id = "dc765fb2-0c99-4e57-8c11-dafdf1992b66" setup = """## Setup @@ -57,6 +90,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.path like~ ("/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*") and not ( @@ -81,45 +115,10 @@ file.path like~ ("/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*") and n (process.name == "sed" and file.name : "sed*") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Dracut Module Creation - -Dracut is a utility for generating initramfs images, crucial for booting Linux systems. It uses modules, which are scripts executed during image creation. Adversaries may exploit this by crafting malicious modules to execute code at boot, ensuring persistence. The detection rule identifies unauthorized module creation by monitoring file paths and excluding known legitimate processes, helping to flag potential threats. - -### Possible investigation steps - -- Review the file path of the created Dracut module to determine if it matches known legitimate paths or if it appears suspicious, focusing on paths like "/lib/dracut/modules.d/*" and "/usr/lib/dracut/modules.d/*". -- Identify the process that created the Dracut module by examining the process.executable field, and verify if it is listed in the known legitimate processes or if it is an unexpected process. -- Check the file extension of the created module to ensure it is not one of the excluded extensions such as "swp", "swpx", "swx", or "dpkg-remove". -- Investigate the history and behavior of the process that created the module, including its parent process and any associated network activity, to assess if it has been involved in other suspicious activities. -- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that might suggest malicious activity. -- Consult threat intelligence sources to determine if there are any known threats or campaigns associated with the process or file path involved in the alert. - -### False positive analysis - -- Package managers like dpkg, rpm, and yum may trigger false positives when they update or install packages. To handle this, ensure these processes are included in the exclusion list within the detection rule. -- Automated system management tools such as Puppet, Chef, and Ansible can create or modify Dracut modules as part of their configuration management tasks. Add these tools to the exclusion list to prevent false alerts. -- System updates or maintenance scripts that run as part of regular system operations might be flagged. Review these scripts and add their executables to the exclusion list if they are verified as non-threatening. -- Custom scripts or applications that interact with Dracut modules for legitimate purposes should be reviewed and, if deemed safe, added to the exclusion list to avoid unnecessary alerts. -- Temporary files or backup files with extensions like swp or dpkg-remove may be mistakenly flagged. Ensure these extensions are included in the exclusion criteria to reduce false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Conduct a thorough review of the Dracut module files located in the specified directories (/lib/dracut/modules.d/*, /usr/lib/dracut/modules.d/*) to identify and remove any unauthorized or suspicious modules. -- Restore the system from a known good backup if malicious Dracut modules are confirmed, ensuring that the backup predates the unauthorized changes. -- Implement additional monitoring on the affected system to detect any further unauthorized Dracut module creation or other suspicious activities. -- Review and tighten access controls and permissions for the directories and processes involved in Dracut module creation to prevent unauthorized modifications. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Update and enhance detection capabilities to include alerts for any future unauthorized Dracut module creation attempts, leveraging the specific indicators identified in this incident.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -135,29 +134,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -165,3 +163,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index c59e3a57064..4908718e419 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/12" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/linux/persistence_extract_initramfs_via_cpio.toml b/rules/linux/persistence_extract_initramfs_via_cpio.toml index bd4c2e51b40..f5ab24a7a21 100644 --- a/rules/linux/persistence_extract_initramfs_via_cpio.toml +++ b/rules/linux/persistence_extract_initramfs_via_cpio.toml @@ -2,16 +2,14 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects the extraction of an initramfs image using the `cpio` command on Linux systems. The -`cpio` command is used to create or extract cpio archives. Attackers may extract the initramfs image to -modify the contents or add malicious files, which can be leveraged to maintain persistence on the system. +This rule detects the extraction of an initramfs image using the `cpio` command on Linux systems. The `cpio` command is +used to create or extract cpio archives. Attackers may extract the initramfs image to modify the contents or add +malicious files, which can be leveraged to maintain persistence on the system. """ from = "now-9m" index = [ @@ -20,11 +18,45 @@ index = [ "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", - "logs-sentinel_one_cloud_funnel.*" + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" name = "Initramfs Extraction via CPIO" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Initramfs Extraction via CPIO + +Initramfs is a temporary filesystem used during the Linux boot process, containing essential drivers and scripts. Attackers may exploit the `cpio` command to extract and modify initramfs, embedding malicious files to ensure persistence. The detection rule identifies suspicious `cpio` usage by monitoring process execution patterns, excluding legitimate parent processes, to flag potential threats. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the cpio command with arguments "-H" or "--format" and "newc" to ensure the alert is not a false positive. +- Investigate the parent process of the cpio command to determine if it is an unexpected or unauthorized process, as legitimate processes like mkinitramfs or dracut should be excluded. +- Check the execution path of the parent process to verify if it matches any known legitimate paths such as "/usr/share/initramfs-tools/*" or "/nix/store/*". +- Analyze the timeline of events around the cpio execution to identify any preceding or subsequent suspicious activities that might indicate a broader attack or persistence mechanism. +- Examine the system for any unauthorized modifications or additions to the initramfs image that could indicate tampering or the presence of malicious files. +- Correlate the alert with other security data sources like Elastic Endgame, Elastic Defend, or Crowdstrike to gather additional context and assess the scope of the potential threat. + +### False positive analysis + +- Legitimate system updates or maintenance activities may trigger the rule when tools like mkinitramfs or dracut are used. To handle this, ensure these processes are excluded by verifying that the parent process is mkinitramfs or dracut. +- Custom scripts or automation tools that manage initramfs might use cpio in a non-malicious context. Review these scripts and add their parent process names or paths to the exclusion list if they are verified as safe. +- Systems using non-standard initramfs management tools located in directories like /usr/share/initramfs-tools or /nix/store may cause false positives. Confirm these tools' legitimacy and update the exclusion paths accordingly. +- Development or testing environments where initramfs is frequently modified for legitimate reasons can generate alerts. Consider creating environment-specific exceptions to reduce noise while maintaining security in production systems. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or spread of potential malware. +- Terminate any suspicious processes related to the `cpio` command that do not have legitimate parent processes, such as `mkinitramfs` or `dracut`. +- Conduct a thorough review of the extracted initramfs contents to identify and remove any unauthorized or malicious files. +- Restore the initramfs from a known good backup to ensure system integrity and remove any potential persistence mechanisms. +- Monitor the system for any further suspicious activity, particularly related to the `cpio` command, to ensure the threat has been fully mitigated. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected. +- Update security policies and procedures to include specific checks for unauthorized `cpio` usage and enhance detection capabilities for similar threats.""" risk_score = 21 rule_id = "17b3fcd1-90fb-4f5d-858c-dc1d998fa368" setup = """## Setup @@ -63,6 +95,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and @@ -71,44 +104,10 @@ process.name == "cpio" and process.args in ("-H", "--format") and process.args = process.parent.executable like~ ("/usr/share/initramfs-tools/*", "/nix/store/*") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Initramfs Extraction via CPIO - -Initramfs is a temporary filesystem used during the Linux boot process, containing essential drivers and scripts. Attackers may exploit the `cpio` command to extract and modify initramfs, embedding malicious files to ensure persistence. The detection rule identifies suspicious `cpio` usage by monitoring process execution patterns, excluding legitimate parent processes, to flag potential threats. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the cpio command with arguments "-H" or "--format" and "newc" to ensure the alert is not a false positive. -- Investigate the parent process of the cpio command to determine if it is an unexpected or unauthorized process, as legitimate processes like mkinitramfs or dracut should be excluded. -- Check the execution path of the parent process to verify if it matches any known legitimate paths such as "/usr/share/initramfs-tools/*" or "/nix/store/*". -- Analyze the timeline of events around the cpio execution to identify any preceding or subsequent suspicious activities that might indicate a broader attack or persistence mechanism. -- Examine the system for any unauthorized modifications or additions to the initramfs image that could indicate tampering or the presence of malicious files. -- Correlate the alert with other security data sources like Elastic Endgame, Elastic Defend, or Crowdstrike to gather additional context and assess the scope of the potential threat. - -### False positive analysis - -- Legitimate system updates or maintenance activities may trigger the rule when tools like mkinitramfs or dracut are used. To handle this, ensure these processes are excluded by verifying that the parent process is mkinitramfs or dracut. -- Custom scripts or automation tools that manage initramfs might use cpio in a non-malicious context. Review these scripts and add their parent process names or paths to the exclusion list if they are verified as safe. -- Systems using non-standard initramfs management tools located in directories like /usr/share/initramfs-tools or /nix/store may cause false positives. Confirm these tools' legitimacy and update the exclusion paths accordingly. -- Development or testing environments where initramfs is frequently modified for legitimate reasons can generate alerts. Consider creating environment-specific exceptions to reduce noise while maintaining security in production systems. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or spread of potential malware. -- Terminate any suspicious processes related to the `cpio` command that do not have legitimate parent processes, such as `mkinitramfs` or `dracut`. -- Conduct a thorough review of the extracted initramfs contents to identify and remove any unauthorized or malicious files. -- Restore the initramfs from a known good backup to ensure system integrity and remove any potential persistence mechanisms. -- Monitor the system for any further suspicious activity, particularly related to the `cpio` command, to ensure the threat has been fully mitigated. -- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected. -- Update security policies and procedures to include specific checks for unauthorized `cpio` usage and enhance detection capabilities for similar threats.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -124,7 +123,9 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index ca06e3deee9..afd3c5fe188 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Git Hook Command Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Git Hook Command Execution + +Git hooks are scripts that automate tasks by executing before or after Git events like commits or pushes. While useful for developers, adversaries can exploit them to run malicious commands, gaining persistence or evading defenses. The detection rule identifies suspicious processes initiated by Git hooks, focusing on shell executions, to flag potential abuse on Linux systems. + +### Possible investigation steps + +- Review the alert details to identify the specific Git hook script path and the suspicious process name that was executed, as indicated by the process.args and process.name fields. +- Examine the process tree to understand the parent-child relationship, focusing on the process.parent.name and process.entity_id fields, to determine how the suspicious process was initiated. +- Check the Git repository's history and recent changes to the .git/hooks directory to identify any unauthorized modifications or additions to the hook scripts. +- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it indicates potential compromise. +- Analyze the command-line arguments and environment variables of the suspicious process to gather more context on the nature of the executed command. +- Correlate this event with other security alerts or logs from the same host.id to identify any patterns or additional indicators of compromise. +- If possible, isolate the affected system and conduct a deeper forensic analysis to uncover any further malicious activity or persistence mechanisms. + +### False positive analysis + +- Developers using Git hooks for legitimate automation tasks may trigger this rule. To manage this, identify and document common scripts used in your development environment and create exceptions for these known benign processes. +- Continuous integration and deployment (CI/CD) systems often utilize Git hooks to automate workflows. Review the processes initiated by these systems and exclude them from detection if they are verified as non-malicious. +- Custom scripts executed via Git hooks for project-specific tasks can also cause false positives. Collaborate with development teams to catalog these scripts and adjust the detection rule to exclude them. +- Frequent updates or changes in Git repositories might lead to repeated triggering of the rule. Monitor these activities and, if consistent and verified as safe, consider adding them to an allowlist to reduce noise. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified as being executed from Git hooks, especially those involving shell executions. +- Conduct a thorough review of the .git/hooks directory on the affected system to identify and remove any unauthorized or malicious scripts. +- Restore any modified or deleted files from a known good backup to ensure system integrity. +- Implement monitoring for any future modifications to the .git/hooks directory to detect unauthorized changes promptly. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Review and update access controls and permissions for Git repositories to limit the ability to modify hooks to trusted users only.""" references = [ "https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", @@ -72,41 +105,6 @@ sequence by host.id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Git Hook Command Execution - -Git hooks are scripts that automate tasks by executing before or after Git events like commits or pushes. While useful for developers, adversaries can exploit them to run malicious commands, gaining persistence or evading defenses. The detection rule identifies suspicious processes initiated by Git hooks, focusing on shell executions, to flag potential abuse on Linux systems. - -### Possible investigation steps - -- Review the alert details to identify the specific Git hook script path and the suspicious process name that was executed, as indicated by the process.args and process.name fields. -- Examine the process tree to understand the parent-child relationship, focusing on the process.parent.name and process.entity_id fields, to determine how the suspicious process was initiated. -- Check the Git repository's history and recent changes to the .git/hooks directory to identify any unauthorized modifications or additions to the hook scripts. -- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it indicates potential compromise. -- Analyze the command-line arguments and environment variables of the suspicious process to gather more context on the nature of the executed command. -- Correlate this event with other security alerts or logs from the same host.id to identify any patterns or additional indicators of compromise. -- If possible, isolate the affected system and conduct a deeper forensic analysis to uncover any further malicious activity or persistence mechanisms. - -### False positive analysis - -- Developers using Git hooks for legitimate automation tasks may trigger this rule. To manage this, identify and document common scripts used in your development environment and create exceptions for these known benign processes. -- Continuous integration and deployment (CI/CD) systems often utilize Git hooks to automate workflows. Review the processes initiated by these systems and exclude them from detection if they are verified as non-malicious. -- Custom scripts executed via Git hooks for project-specific tasks can also cause false positives. Collaborate with development teams to catalog these scripts and adjust the detection rule to exclude them. -- Frequent updates or changes in Git repositories might lead to repeated triggering of the rule. Monitor these activities and, if consistent and verified as safe, consider adding them to an allowlist to reduce noise. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes identified as being executed from Git hooks, especially those involving shell executions. -- Conduct a thorough review of the .git/hooks directory on the affected system to identify and remove any unauthorized or malicious scripts. -- Restore any modified or deleted files from a known good backup to ensure system integrity. -- Implement monitoring for any future modifications to the .git/hooks directory to detect unauthorized changes promptly. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Review and update access controls and permissions for Git repositories to limit the ability to modify hooks to trusted users only.""" [[rule.threat]] diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index 3ba54dfdbdc..98e9a56dc87 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,41 @@ index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endg language = "eql" license = "Elastic License v2" name = "Git Hook Created or Modified" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Git Hook Created or Modified + +Git hooks are scripts that automate tasks by executing before or after Git events like commits or pushes. While beneficial for developers, adversaries can exploit them to execute malicious code, maintaining persistence on a system. The detection rule identifies suspicious creation or modification of Git hooks on Linux, excluding benign processes, to flag potential abuse. + +### Possible investigation steps + +- Review the file path to confirm the location of the modified or created Git hook file and determine if it aligns with known repositories or projects on the system. +- Identify the process executable responsible for the creation or modification of the Git hook file and verify if it is a known and legitimate process, excluding those listed in the query. +- Check the timestamp of the event to correlate with any known user activities or scheduled tasks that might explain the modification or creation of the Git hook. +- Investigate the user account associated with the process that triggered the alert to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Examine the contents of the modified or newly created Git hook file to identify any potentially malicious code or unexpected changes. +- Cross-reference the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack or compromise. + +### False positive analysis + +- System package managers like dpkg, rpm, and yum can trigger false positives when they create or modify Git hooks during package installations or updates. To manage this, ensure these executables are included in the exclusion list within the detection rule. +- Automated deployment tools such as Puppet and Chef may modify Git hooks as part of their configuration management processes. Exclude these tools by adding their executables to the exception list to prevent false alerts. +- Continuous integration and deployment systems like Jenkins or GitLab runners might modify Git hooks as part of their build processes. Identify and exclude these processes by adding their specific executables or paths to the exclusion criteria. +- Custom scripts or internal tools that are known to modify Git hooks for legitimate purposes should be identified and their executables added to the exclusion list to avoid unnecessary alerts. +- Consider excluding specific directories or paths that are known to be used by trusted applications or processes for Git hook modifications, ensuring these are not flagged as suspicious. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement or further execution of malicious code. +- Terminate any suspicious processes associated with the creation or modification of Git hooks that are not part of the known benign processes listed in the detection rule. +- Conduct a thorough review of the modified or newly created Git hook scripts to identify and remove any malicious code or unauthorized changes. +- Restore any affected Git repositories from a known good backup to ensure integrity and remove any persistence mechanisms. +- Implement file integrity monitoring on the .git/hooks directory to detect unauthorized changes in the future. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Review and update access controls and permissions for Git repositories to limit the ability to modify hook scripts to only trusted users.""" references = [ "https://git-scm.com/docs/githooks/2.26.0", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", @@ -85,45 +118,10 @@ file.extension == null and process.executable != null and not ( (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Git Hook Created or Modified - -Git hooks are scripts that automate tasks by executing before or after Git events like commits or pushes. While beneficial for developers, adversaries can exploit them to execute malicious code, maintaining persistence on a system. The detection rule identifies suspicious creation or modification of Git hooks on Linux, excluding benign processes, to flag potential abuse. - -### Possible investigation steps - -- Review the file path to confirm the location of the modified or created Git hook file and determine if it aligns with known repositories or projects on the system. -- Identify the process executable responsible for the creation or modification of the Git hook file and verify if it is a known and legitimate process, excluding those listed in the query. -- Check the timestamp of the event to correlate with any known user activities or scheduled tasks that might explain the modification or creation of the Git hook. -- Investigate the user account associated with the process that triggered the alert to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Examine the contents of the modified or newly created Git hook file to identify any potentially malicious code or unexpected changes. -- Cross-reference the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack or compromise. - -### False positive analysis - -- System package managers like dpkg, rpm, and yum can trigger false positives when they create or modify Git hooks during package installations or updates. To manage this, ensure these executables are included in the exclusion list within the detection rule. -- Automated deployment tools such as Puppet and Chef may modify Git hooks as part of their configuration management processes. Exclude these tools by adding their executables to the exception list to prevent false alerts. -- Continuous integration and deployment systems like Jenkins or GitLab runners might modify Git hooks as part of their build processes. Identify and exclude these processes by adding their specific executables or paths to the exclusion criteria. -- Custom scripts or internal tools that are known to modify Git hooks for legitimate purposes should be identified and their executables added to the exclusion list to avoid unnecessary alerts. -- Consider excluding specific directories or paths that are known to be used by trusted applications or processes for Git hook modifications, ensuring these are not flagged as suspicious. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement or further execution of malicious code. -- Terminate any suspicious processes associated with the creation or modification of Git hooks that are not part of the known benign processes listed in the detection rule. -- Conduct a thorough review of the modified or newly created Git hook scripts to identify and remove any malicious code or unauthorized changes. -- Restore any affected Git repositories from a known good backup to ensure integrity and remove any persistence mechanisms. -- Implement file integrity monitoring on the .git/hooks directory to detect unauthorized changes in the future. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Review and update access controls and permissions for Git repositories to limit the ability to modify hook scripts to only trusted users.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -134,29 +132,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -164,3 +161,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index dd246b05bf3..d94e5860c5a 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,10 +13,50 @@ spawned by the Git process itself. This behavior may indicate an attacker attemp leveraging the legitimate Git process to execute unauthorized commands. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = [ + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Git Hook Child Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Git Hook Child Process + +Git hooks are scripts that automate tasks during Git operations like commits or pushes. Adversaries may exploit these hooks to execute unauthorized commands, masking malicious activities under legitimate processes. The detection rule identifies unusual child processes spawned by Git hooks, focusing on atypical scripts or executables in suspicious directories, signaling potential misuse. + +### Possible investigation steps + +- Review the process tree to understand the parent-child relationship, focusing on the parent process names listed in the query, such as "pre-commit" or "post-update", to determine the context of the spawned child process. +- Examine the command line arguments and environment variables of the suspicious child process to identify any potentially malicious or unauthorized commands being executed. +- Check the file paths of the executables involved, especially those in unusual directories like "/tmp/*" or "/var/tmp/*", to assess if they are legitimate or potentially harmful. +- Investigate the user account under which the suspicious process is running to determine if it has been compromised or is being used in an unauthorized manner. +- Correlate the event with other security logs or alerts from the same host to identify any patterns or additional indicators of compromise. +- Review recent Git activity on the repository to identify any unauthorized changes or suspicious commits that might indicate tampering with Git hooks. + +### False positive analysis + +- Legitimate development scripts: Developers may use scripts in directories like /tmp or /var/tmp for testing purposes. To handle this, create exceptions for known scripts or directories used by trusted developers. +- Custom shell usage: Developers might use shells like bash or zsh for legitimate automation tasks. Identify and whitelist these specific shell scripts if they are part of regular development workflows. +- Temporary file execution: Some applications may temporarily execute files from directories like /dev/shm or /run. Monitor these applications and exclude them if they are verified as non-threatening. +- Non-standard interpreters: Developers might use interpreters like php or perl for legitimate tasks. Review and whitelist these processes if they are part of approved development activities. +- System maintenance scripts: Scheduled tasks or maintenance scripts might run from /etc/cron.* or /etc/init.d. Verify these scripts and exclude them if they are part of routine system operations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious commands. +- Terminate any suspicious processes identified by the detection rule, especially those originating from unusual directories or involving unexpected scripts or executables. +- Conduct a thorough review of the Git hooks on the affected system to identify and remove any unauthorized or malicious scripts. +- Restore any modified or deleted files from a known good backup to ensure system integrity and continuity of operations. +- Implement stricter access controls and permissions for Git repositories and associated directories to prevent unauthorized modifications to Git hooks. +- Monitor the affected system and related network activity closely for any signs of persistence or further compromise, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected.""" references = [ "https://git-scm.com/docs/githooks/2.26.0", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", @@ -86,41 +124,6 @@ process where host.os.type == "linux" and event.type == "start" and ) and not process.name in ("git", "dirname") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Git Hook Child Process - -Git hooks are scripts that automate tasks during Git operations like commits or pushes. Adversaries may exploit these hooks to execute unauthorized commands, masking malicious activities under legitimate processes. The detection rule identifies unusual child processes spawned by Git hooks, focusing on atypical scripts or executables in suspicious directories, signaling potential misuse. - -### Possible investigation steps - -- Review the process tree to understand the parent-child relationship, focusing on the parent process names listed in the query, such as "pre-commit" or "post-update", to determine the context of the spawned child process. -- Examine the command line arguments and environment variables of the suspicious child process to identify any potentially malicious or unauthorized commands being executed. -- Check the file paths of the executables involved, especially those in unusual directories like "/tmp/*" or "/var/tmp/*", to assess if they are legitimate or potentially harmful. -- Investigate the user account under which the suspicious process is running to determine if it has been compromised or is being used in an unauthorized manner. -- Correlate the event with other security logs or alerts from the same host to identify any patterns or additional indicators of compromise. -- Review recent Git activity on the repository to identify any unauthorized changes or suspicious commits that might indicate tampering with Git hooks. - -### False positive analysis - -- Legitimate development scripts: Developers may use scripts in directories like /tmp or /var/tmp for testing purposes. To handle this, create exceptions for known scripts or directories used by trusted developers. -- Custom shell usage: Developers might use shells like bash or zsh for legitimate automation tasks. Identify and whitelist these specific shell scripts if they are part of regular development workflows. -- Temporary file execution: Some applications may temporarily execute files from directories like /dev/shm or /run. Monitor these applications and exclude them if they are verified as non-threatening. -- Non-standard interpreters: Developers might use interpreters like php or perl for legitimate tasks. Review and whitelist these processes if they are part of approved development activities. -- System maintenance scripts: Scheduled tasks or maintenance scripts might run from /etc/cron.* or /etc/init.d. Verify these scripts and exclude them if they are part of routine system operations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious commands. -- Terminate any suspicious processes identified by the detection rule, especially those originating from unusual directories or involving unexpected scripts or executables. -- Conduct a thorough review of the Git hooks on the affected system to identify and remove any unauthorized or malicious scripts. -- Restore any modified or deleted files from a known good backup to ensure system integrity and continuity of operations. -- Implement stricter access controls and permissions for Git repositories and associated directories to prevent unauthorized modifications to Git hooks. -- Monitor the affected system and related network activity closely for any signs of persistence or further compromise, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected.""" [[rule.threat]] diff --git a/rules/linux/persistence_grub_configuration_creation.toml b/rules/linux/persistence_grub_configuration_creation.toml index 44f71f9b107..c5e5b0ff394 100644 --- a/rules/linux/persistence_grub_configuration_creation.toml +++ b/rules/linux/persistence_grub_configuration_creation.toml @@ -2,23 +2,56 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ This rule detects the creation of GRUB configuration files on Linux systems. The GRUB configuration file is used to -configure the boot loader, which is responsible for loading the operating system. Attackers may create malicious -GRUB configuration files to execute arbitrary code or escalate privileges during the boot process, which can be -leveraged to maintain persistence on the system. +configure the boot loader, which is responsible for loading the operating system. Attackers may create malicious GRUB +configuration files to execute arbitrary code or escalate privileges during the boot process, which can be leveraged to +maintain persistence on the system. """ from = "now-9m" index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "GRUB Configuration File Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating GRUB Configuration File Creation + +GRUB (Grand Unified Bootloader) is crucial for booting Linux systems, managing the boot process, and loading the OS. Adversaries may exploit GRUB by creating or altering configuration files to execute unauthorized code or gain elevated privileges, ensuring persistence. The detection rule identifies suspicious creation of GRUB files, excluding legitimate processes, to flag potential security threats. + +### Possible investigation steps + +- Review the file path and name to determine if it matches any known GRUB configuration files, as specified in the query (e.g., "/etc/default/grub", "/boot/grub2/grub.cfg"). +- Identify the process that created the file by examining the process.executable field, ensuring it is not one of the excluded legitimate processes. +- Check the timestamp of the file creation event to correlate it with any other suspicious activities or changes in the system around the same time. +- Investigate the user account associated with the process that created the file to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior. +- Analyze the contents of the newly created or modified GRUB configuration file for any unauthorized or suspicious entries that could indicate malicious intent. +- Cross-reference the event with other security logs or alerts to identify any related activities or patterns that could suggest a broader attack or compromise. + +### False positive analysis + +- System package managers like dpkg, rpm, and yum may trigger false positives when they update or modify GRUB configuration files during routine package installations or updates. To handle this, ensure these processes are included in the exclusion list within the detection rule. +- Automated system management tools such as Puppet, Chef, and Ansible can also cause false positives when they manage GRUB configurations as part of their configuration management tasks. Consider adding these tools to the exclusion list if they are part of your environment. +- Virtualization and containerization tools like Docker, Podman, and VirtualBox might modify GRUB files as part of their operations. Verify these processes and exclude them if they are legitimate in your setup. +- Temporary files created by text editors or system processes, such as those with extensions like swp or swx, can be mistaken for GRUB configuration files. Ensure these extensions are part of the exclusion criteria to prevent unnecessary alerts. +- Custom scripts or administrative tasks that modify GRUB configurations for legitimate reasons should be reviewed and, if deemed safe, added to the exclusion list to avoid repeated false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement or further unauthorized access. +- Review the GRUB configuration files identified in the alert to confirm unauthorized modifications or creations. Restore any altered files from a known good backup if necessary. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious code or backdoors that may have been introduced. +- Change all system and user passwords on the affected machine to prevent unauthorized access using potentially compromised credentials. +- Monitor the system for any further suspicious activity, particularly focusing on processes attempting to modify GRUB configuration files. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement additional logging and monitoring for GRUB configuration changes to enhance detection capabilities and prevent future unauthorized modifications.""" risk_score = 21 rule_id = "ce4a32e5-32aa-47e6-80da-ced6d234387d" setup = """## Setup @@ -57,6 +90,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.path like~ ( "/etc/default/grub.d/*", "/etc/default/grub", "/etc/grub.d/*", @@ -84,45 +118,10 @@ file where host.os.type == "linux" and event.type == "creation" and process.exec (process.name == "sed" and file.name : "sed*") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating GRUB Configuration File Creation - -GRUB (Grand Unified Bootloader) is crucial for booting Linux systems, managing the boot process, and loading the OS. Adversaries may exploit GRUB by creating or altering configuration files to execute unauthorized code or gain elevated privileges, ensuring persistence. The detection rule identifies suspicious creation of GRUB files, excluding legitimate processes, to flag potential security threats. - -### Possible investigation steps - -- Review the file path and name to determine if it matches any known GRUB configuration files, as specified in the query (e.g., "/etc/default/grub", "/boot/grub2/grub.cfg"). -- Identify the process that created the file by examining the process.executable field, ensuring it is not one of the excluded legitimate processes. -- Check the timestamp of the file creation event to correlate it with any other suspicious activities or changes in the system around the same time. -- Investigate the user account associated with the process that created the file to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior. -- Analyze the contents of the newly created or modified GRUB configuration file for any unauthorized or suspicious entries that could indicate malicious intent. -- Cross-reference the event with other security logs or alerts to identify any related activities or patterns that could suggest a broader attack or compromise. - -### False positive analysis - -- System package managers like dpkg, rpm, and yum may trigger false positives when they update or modify GRUB configuration files during routine package installations or updates. To handle this, ensure these processes are included in the exclusion list within the detection rule. -- Automated system management tools such as Puppet, Chef, and Ansible can also cause false positives when they manage GRUB configurations as part of their configuration management tasks. Consider adding these tools to the exclusion list if they are part of your environment. -- Virtualization and containerization tools like Docker, Podman, and VirtualBox might modify GRUB files as part of their operations. Verify these processes and exclude them if they are legitimate in your setup. -- Temporary files created by text editors or system processes, such as those with extensions like swp or swx, can be mistaken for GRUB configuration files. Ensure these extensions are part of the exclusion criteria to prevent unnecessary alerts. -- Custom scripts or administrative tasks that modify GRUB configurations for legitimate reasons should be reviewed and, if deemed safe, added to the exclusion list to avoid repeated false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement or further unauthorized access. -- Review the GRUB configuration files identified in the alert to confirm unauthorized modifications or creations. Restore any altered files from a known good backup if necessary. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious code or backdoors that may have been introduced. -- Change all system and user passwords on the affected machine to prevent unauthorized access using potentially compromised credentials. -- Monitor the system for any further suspicious activity, particularly focusing on processes attempting to modify GRUB configuration files. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement additional logging and monitoring for GRUB configuration changes to enhance detection capabilities and prevent future unauthorized modifications.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -138,7 +137,9 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_grub_makeconfig.toml b/rules/linux/persistence_grub_makeconfig.toml index 9b8d543986e..23b192d4459 100644 --- a/rules/linux/persistence_grub_makeconfig.toml +++ b/rules/linux/persistence_grub_makeconfig.toml @@ -2,9 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,10 +13,48 @@ during the boot process. Attackers may use these built-in utilities to generate includes malicious kernel parameters or boot options, which can be leveraged to maintain persistence on the system. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "GRUB Configuration Generation through Built-in Utilities" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating GRUB Configuration Generation through Built-in Utilities + +GRUB, the Grand Unified Bootloader, is crucial for loading the Linux kernel during system startup. It uses configuration files to determine boot parameters. Adversaries may exploit utilities like `grub-mkconfig` to alter these files, embedding malicious parameters for persistence. The detection rule identifies suspicious executions of these utilities, especially when initiated by atypical parent processes, signaling potential misuse. + +### Possible investigation steps + +- Review the process execution details to identify the parent process of the suspicious GRUB configuration utility execution. Check if the parent process is unusual or unexpected based on the query's exclusion list. +- Examine the command-line arguments used in the execution of the GRUB configuration utility to identify any potentially malicious kernel parameters or boot options. +- Investigate the user account associated with the process execution to determine if it has the necessary privileges and if the activity aligns with the user's typical behavior. +- Check the system's recent changes or updates, especially those related to bootloader configurations, to identify any unauthorized modifications. +- Analyze system logs for any other suspicious activities or anomalies around the time of the GRUB configuration utility execution to gather additional context. + +### False positive analysis + +- Routine system updates or maintenance tasks may trigger the rule when legitimate processes like package managers (e.g., pacman, dnf, yum) or system utilities (e.g., sudo) execute GRUB configuration commands. Users can mitigate this by adding these processes to the exception list in the rule configuration. +- Automated scripts or cron jobs that regularly update GRUB configurations for legitimate reasons might be flagged. To handle this, identify these scripts and add their parent process names or paths to the exclusion criteria. +- Custom administrative scripts that manage bootloader settings could also cause false positives. Review these scripts and, if verified as safe, include their parent process details in the rule's exceptions. +- Some Linux distributions may have specific utilities or services that interact with GRUB as part of their normal operation. Investigate these utilities and consider excluding them if they are confirmed to be benign and necessary for system functionality. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement. +- Terminate any suspicious processes related to `grub-mkconfig`, `grub2-mkconfig`, or `update-grub` that were initiated by atypical parent processes. +- Review and restore the GRUB configuration file from a known good backup to ensure no malicious parameters are present. +- Conduct a thorough examination of the system for additional signs of compromise, focusing on persistence mechanisms and unauthorized changes to boot parameters. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. +- Implement monitoring for future unauthorized executions of GRUB configuration utilities, ensuring alerts are generated for similar suspicious activities. +- Review and update access controls and permissions to restrict the execution of GRUB configuration utilities to authorized personnel only.""" risk_score = 21 rule_id = "aabdad51-51fb-4a66-9d82-3873e42accb8" setup = """## Setup @@ -56,6 +92,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -66,43 +103,10 @@ process.parent.executable != null and process.name in ("grub-mkconfig", "grub2-m ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating GRUB Configuration Generation through Built-in Utilities - -GRUB, the Grand Unified Bootloader, is crucial for loading the Linux kernel during system startup. It uses configuration files to determine boot parameters. Adversaries may exploit utilities like `grub-mkconfig` to alter these files, embedding malicious parameters for persistence. The detection rule identifies suspicious executions of these utilities, especially when initiated by atypical parent processes, signaling potential misuse. - -### Possible investigation steps -- Review the process execution details to identify the parent process of the suspicious GRUB configuration utility execution. Check if the parent process is unusual or unexpected based on the query's exclusion list. -- Examine the command-line arguments used in the execution of the GRUB configuration utility to identify any potentially malicious kernel parameters or boot options. -- Investigate the user account associated with the process execution to determine if it has the necessary privileges and if the activity aligns with the user's typical behavior. -- Check the system's recent changes or updates, especially those related to bootloader configurations, to identify any unauthorized modifications. -- Analyze system logs for any other suspicious activities or anomalies around the time of the GRUB configuration utility execution to gather additional context. - -### False positive analysis - -- Routine system updates or maintenance tasks may trigger the rule when legitimate processes like package managers (e.g., pacman, dnf, yum) or system utilities (e.g., sudo) execute GRUB configuration commands. Users can mitigate this by adding these processes to the exception list in the rule configuration. -- Automated scripts or cron jobs that regularly update GRUB configurations for legitimate reasons might be flagged. To handle this, identify these scripts and add their parent process names or paths to the exclusion criteria. -- Custom administrative scripts that manage bootloader settings could also cause false positives. Review these scripts and, if verified as safe, include their parent process details in the rule's exceptions. -- Some Linux distributions may have specific utilities or services that interact with GRUB as part of their normal operation. Investigate these utilities and consider excluding them if they are confirmed to be benign and necessary for system functionality. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement. -- Terminate any suspicious processes related to `grub-mkconfig`, `grub2-mkconfig`, or `update-grub` that were initiated by atypical parent processes. -- Review and restore the GRUB configuration file from a known good backup to ensure no malicious parameters are present. -- Conduct a thorough examination of the system for additional signs of compromise, focusing on persistence mechanisms and unauthorized changes to boot parameters. -- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. -- Implement monitoring for future unauthorized executions of GRUB configuration utilities, ensuring alerts are generated for similar suspicious activities. -- Review and update access controls and permissions to restrict the execution of GRUB configuration utilities to authorized personnel only.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -118,7 +122,9 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index b268ef38aac..9596e5bce38 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -179,15 +177,18 @@ and file.path : "/etc/init.d/*" and not ( (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' + + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index be9b7a9fe67..cf26c1d712a 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,13 @@ security products. Manually loading a kernel module in this manner should not be suspcious or malicious behavior. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Kernel Module Load via insmod" @@ -162,6 +166,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and not process.parent.executable like ( @@ -170,20 +175,22 @@ not process.parent.executable like ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 9fd2b9acc31..83b65a7ba7b 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -232,15 +230,17 @@ file where host.os.type == "linux" and event.type != "deletion" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 79e32fb1943..d5e19a63317 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -167,6 +165,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( @@ -181,28 +180,29 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 70a01525ea2..40dd37a98c1 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -38,7 +36,14 @@ Identifies the attempt to create a new backdoor user by setting the user's UID t 0 to establish persistence on a system. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Linux Backdoor User Account Creation" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 75ef6bee4a2..3ad4f9a155f 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 192d6627424..da38cb65f9b 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -31,7 +29,14 @@ Identifies attempts to add a user to a privileged group. Attackers may add users establish persistence on a system. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Linux User Added to Privileged Group" @@ -124,6 +129,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and @@ -136,20 +142,22 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 260b43dcdab..afc04702740 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -2,22 +2,58 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ This rule detects manual execution of the `dracut` command on Linux systems. Dracut is a tool used to generate an -initramfs image that is used to boot the system. Attackers may use `dracut` to create a custom initramfs image -that includes malicious code or backdoors, allowing them to maintain persistence on the system. +initramfs image that is used to boot the system. Attackers may use `dracut` to create a custom initramfs image that +includes malicious code or backdoors, allowing them to maintain persistence on the system. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Manual Dracut Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Manual Dracut Execution + +Dracut is a utility in Linux systems used to create initramfs images, essential for booting. Adversaries might exploit Dracut to craft malicious initramfs, embedding backdoors for persistence. The detection rule identifies unusual Dracut executions by scrutinizing process origins and excluding legitimate parent processes, flagging potential unauthorized use. + +### Possible investigation steps + +- Review the process details to confirm the execution of the dracut command, focusing on the process.name and process.parent.executable fields to identify any unusual parent processes. +- Examine the command line arguments used with the dracut process by checking the process.parent.command_line field to understand the context of its execution. +- Investigate the user account associated with the dracut execution to determine if it aligns with expected administrative activity or if it indicates potential unauthorized access. +- Check the system logs and any related security alerts around the time of the dracut execution to identify any correlated suspicious activities or anomalies. +- Assess the system for any changes to the initramfs image or other boot-related files that could indicate tampering or the presence of backdoors. + +### False positive analysis + +- Legitimate system updates or kernel installations may trigger the rule. To handle this, users can create exceptions for processes originating from known update paths like /usr/lib/kernel/* or /etc/kernel/install.d/*. +- Automated scripts or maintenance tasks that use dracut for legitimate purposes might be flagged. Users should identify these scripts and add their parent process names, such as dracut-install or run-parts, to the exclusion list. +- Custom administrative scripts executed by trusted users could be mistaken for suspicious activity. Users can exclude specific command lines or arguments associated with these scripts, such as /usr/bin/dracut-rebuild, to prevent false positives. +- Temporary or testing environments where dracut is used for non-malicious testing purposes might trigger alerts. Users can exclude these environments by specifying unique parent process paths or names that are characteristic of the testing setup. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the adversary. +- Terminate any suspicious or unauthorized dracut processes identified on the system to halt any ongoing malicious activity. +- Conduct a thorough review of the initramfs images on the affected system to identify and remove any unauthorized or malicious modifications. +- Restore the system's initramfs from a known good backup to ensure the integrity of the boot process. +- Implement monitoring for any future unauthorized dracut executions by setting up alerts for similar process activities, ensuring quick detection and response. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Review and update access controls and permissions to limit the ability to execute dracut to only authorized personnel, reducing the risk of future exploitation.""" risk_score = 21 rule_id = "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4" setup = """## Setup @@ -60,6 +96,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -75,67 +112,35 @@ process.name == "dracut" and process.parent.executable != null and not ( process.parent.command_line like~ "/bin/sh -c if command -v mkinitcpio*" ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Manual Dracut Execution - -Dracut is a utility in Linux systems used to create initramfs images, essential for booting. Adversaries might exploit Dracut to craft malicious initramfs, embedding backdoors for persistence. The detection rule identifies unusual Dracut executions by scrutinizing process origins and excluding legitimate parent processes, flagging potential unauthorized use. - -### Possible investigation steps - -- Review the process details to confirm the execution of the dracut command, focusing on the process.name and process.parent.executable fields to identify any unusual parent processes. -- Examine the command line arguments used with the dracut process by checking the process.parent.command_line field to understand the context of its execution. -- Investigate the user account associated with the dracut execution to determine if it aligns with expected administrative activity or if it indicates potential unauthorized access. -- Check the system logs and any related security alerts around the time of the dracut execution to identify any correlated suspicious activities or anomalies. -- Assess the system for any changes to the initramfs image or other boot-related files that could indicate tampering or the presence of backdoors. - -### False positive analysis - -- Legitimate system updates or kernel installations may trigger the rule. To handle this, users can create exceptions for processes originating from known update paths like /usr/lib/kernel/* or /etc/kernel/install.d/*. -- Automated scripts or maintenance tasks that use dracut for legitimate purposes might be flagged. Users should identify these scripts and add their parent process names, such as dracut-install or run-parts, to the exclusion list. -- Custom administrative scripts executed by trusted users could be mistaken for suspicious activity. Users can exclude specific command lines or arguments associated with these scripts, such as /usr/bin/dracut-rebuild, to prevent false positives. -- Temporary or testing environments where dracut is used for non-malicious testing purposes might trigger alerts. Users can exclude these environments by specifying unique parent process paths or names that are characteristic of the testing setup. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the adversary. -- Terminate any suspicious or unauthorized dracut processes identified on the system to halt any ongoing malicious activity. -- Conduct a thorough review of the initramfs images on the affected system to identify and remove any unauthorized or malicious modifications. -- Restore the system's initramfs from a known good backup to ensure the integrity of the boot process. -- Implement monitoring for any future unauthorized dracut executions by setting up alerts for similar process activities, ensuring quick detection and response. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Review and update access controls and permissions to limit the ability to execute dracut to only authorized personnel, reducing the risk of future exploitation.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index ec84b27f6b7..bd5ad825aa5 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -32,15 +30,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create -malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing -a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD -utility. +malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a +backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. """ from = "now-9m" index = ["logs-endpoint.events.process*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] @@ -148,6 +146,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event", "start") and process.parent.executable : "/etc/update-motd.d/*" and @@ -200,15 +199,17 @@ process where event.type == "start" and host.os.type == "linux" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_network_manager_dispatcher_persistence.toml b/rules/linux/persistence_network_manager_dispatcher_persistence.toml index c0f3fb5b5f2..ff3fc273f41 100644 --- a/rules/linux/persistence_network_manager_dispatcher_persistence.toml +++ b/rules/linux/persistence_network_manager_dispatcher_persistence.toml @@ -2,23 +2,55 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ This rule detects the creation of a NetworkManager dispatcher script on a Linux system. NetworkManager dispatcher -scripts are shell scripts that NetworkManager executes when network interfaces change state. Attackers can -abuse NetworkManager dispatcher scripts to maintain persistence on a system by executing malicious code -whenever a network event occurs. +scripts are shell scripts that NetworkManager executes when network interfaces change state. Attackers can abuse +NetworkManager dispatcher scripts to maintain persistence on a system by executing malicious code whenever a network +event occurs. """ from = "now-9m" index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "NetworkManager Dispatcher Script Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating NetworkManager Dispatcher Script Creation + +NetworkManager dispatcher scripts are executed on Linux systems when network interfaces change state, allowing for automated responses to network events. Adversaries can exploit this by creating scripts that execute malicious code, ensuring persistence and evasion. The detection rule identifies unauthorized script creation by monitoring file creation events in the dispatcher directory, excluding known legitimate processes and file types, thus highlighting potential abuse. + +### Possible investigation steps + +- Review the file creation event details to identify the specific script created in the /etc/NetworkManager/dispatcher.d/ directory, noting the file path and name. +- Examine the process that created the script by checking the process.executable field to determine if it is an unexpected or suspicious process not listed in the known legitimate processes. +- Investigate the contents of the newly created script to identify any potentially malicious code or commands that could indicate an attempt to maintain persistence or execute unauthorized actions. +- Check the system's recent network events and changes to see if the script has been triggered and executed, which could provide further context on its intended use. +- Correlate the event with other security alerts or logs from the same host to identify any related suspicious activities or patterns that could indicate a broader attack or compromise. + +### False positive analysis + +- Package management tools like dpkg, rpm, and yum may trigger false positives when they create or modify dispatcher scripts during software installations or updates. To handle these, ensure that the process executables for these tools are included in the exclusion list within the detection rule. +- Automated system management tools such as Puppet, Chef, and Ansible can also cause false positives when they deploy or update configurations. Verify that the executables for these tools are part of the exclusion criteria to prevent unnecessary alerts. +- Temporary files created by text editors like Vim may be mistakenly flagged. These files typically have extensions like swp or swpx. Ensure these extensions are included in the exclusion list to avoid false positives. +- Custom scripts or applications that are known to create or modify dispatcher scripts for legitimate purposes should be reviewed. If deemed safe, add their process executables to the exclusion list to prevent them from being flagged. +- Consider monitoring the frequency and context of script creation events. If certain scripts are frequently created by known processes, evaluate the need to adjust the rule to reduce noise while maintaining security efficacy. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and limit the attacker's ability to maintain persistence. +- Review and remove any unauthorized scripts found in the /etc/NetworkManager/dispatcher.d/ directory to eliminate the immediate threat. +- Conduct a thorough examination of the system for additional signs of compromise, such as unexpected processes or network connections, to identify any further malicious activity. +- Restore any affected systems from a known good backup to ensure the removal of any persistent threats that may have been established. +- Implement stricter access controls and monitoring on the /etc/NetworkManager/dispatcher.d/ directory to prevent unauthorized script creation in the future. +- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. +- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats, leveraging the MITRE ATT&CK framework for guidance on persistence and execution techniques.""" risk_score = 21 rule_id = "86aa8579-1526-4dff-97cd-3635eb0e0545" setup = """## Setup @@ -61,6 +93,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and file.path like~ "/etc/NetworkManager/dispatcher.d/*" and not ( process.executable in ( @@ -84,44 +117,10 @@ file where host.os.type == "linux" and event.type == "creation" and file.path li (process.name == "sed" and file.name : "sed*") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating NetworkManager Dispatcher Script Creation - -NetworkManager dispatcher scripts are executed on Linux systems when network interfaces change state, allowing for automated responses to network events. Adversaries can exploit this by creating scripts that execute malicious code, ensuring persistence and evasion. The detection rule identifies unauthorized script creation by monitoring file creation events in the dispatcher directory, excluding known legitimate processes and file types, thus highlighting potential abuse. - -### Possible investigation steps - -- Review the file creation event details to identify the specific script created in the /etc/NetworkManager/dispatcher.d/ directory, noting the file path and name. -- Examine the process that created the script by checking the process.executable field to determine if it is an unexpected or suspicious process not listed in the known legitimate processes. -- Investigate the contents of the newly created script to identify any potentially malicious code or commands that could indicate an attempt to maintain persistence or execute unauthorized actions. -- Check the system's recent network events and changes to see if the script has been triggered and executed, which could provide further context on its intended use. -- Correlate the event with other security alerts or logs from the same host to identify any related suspicious activities or patterns that could indicate a broader attack or compromise. - -### False positive analysis - -- Package management tools like dpkg, rpm, and yum may trigger false positives when they create or modify dispatcher scripts during software installations or updates. To handle these, ensure that the process executables for these tools are included in the exclusion list within the detection rule. -- Automated system management tools such as Puppet, Chef, and Ansible can also cause false positives when they deploy or update configurations. Verify that the executables for these tools are part of the exclusion criteria to prevent unnecessary alerts. -- Temporary files created by text editors like Vim may be mistakenly flagged. These files typically have extensions like swp or swpx. Ensure these extensions are included in the exclusion list to avoid false positives. -- Custom scripts or applications that are known to create or modify dispatcher scripts for legitimate purposes should be reviewed. If deemed safe, add their process executables to the exclusion list to prevent them from being flagged. -- Consider monitoring the frequency and context of script creation events. If certain scripts are frequently created by known processes, evaluate the need to adjust the rule to reduce noise while maintaining security efficacy. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and limit the attacker's ability to maintain persistence. -- Review and remove any unauthorized scripts found in the /etc/NetworkManager/dispatcher.d/ directory to eliminate the immediate threat. -- Conduct a thorough examination of the system for additional signs of compromise, such as unexpected processes or network connections, to identify any further malicious activity. -- Restore any affected systems from a known good backup to ensure the removal of any persistent threats that may have been established. -- Implement stricter access controls and monitoring on the /etc/NetworkManager/dispatcher.d/ directory to prevent unauthorized script creation in the future. -- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. -- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats, leveraging the MITRE ATT&CK framework for guidance on persistence and execution techniques.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -132,29 +131,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -162,3 +160,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_openssl_passwd_hash_generation.toml b/rules/linux/persistence_openssl_passwd_hash_generation.toml index f4dd830d1de..4b121002a06 100644 --- a/rules/linux/persistence_openssl_passwd_hash_generation.toml +++ b/rules/linux/persistence_openssl_passwd_hash_generation.toml @@ -2,23 +2,63 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule detects the usage of the `openssl` binary to generate password hashes on Linux systems. The `openssl` command is a -cryptographic utility that can be used to generate password hashes. Attackers may use `openssl` to generate password hashes -for new user accounts or to change the password of existing accounts, which can be leveraged to maintain persistence -on a Linux system. +This rule detects the usage of the `openssl` binary to generate password hashes on Linux systems. The `openssl` command +is a cryptographic utility that can be used to generate password hashes. Attackers may use `openssl` to generate +password hashes for new user accounts or to change the password of existing accounts, which can be leveraged to maintain +persistence on a Linux system. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "OpenSSL Password Hash Generation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating OpenSSL Password Hash Generation + +OpenSSL is a robust cryptographic toolkit used for secure communications and data protection, including generating password hashes. Adversaries may exploit OpenSSL to create hashes for unauthorized user accounts or modify existing ones, aiding in persistent access to Linux systems. The detection rule identifies suspicious OpenSSL executions by monitoring specific process actions and arguments, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the "openssl" command with the "passwd" argument, as this indicates an attempt to generate a password hash. +- Identify the user account associated with the process execution to determine if the action was performed by a legitimate user or a potential adversary. +- Check the system logs and user activity around the time of the alert to identify any suspicious behavior or unauthorized access attempts. +- Investigate any recent changes to user accounts on the system, focusing on new account creations or password modifications that coincide with the alert. +- Correlate the alert with other security events or alerts from the same host to identify patterns or additional indicators of compromise. +- Assess the risk and impact of the detected activity by considering the context of the system and its role within the organization, as well as any potential data exposure or system access implications. + +### False positive analysis + +- Routine administrative tasks may trigger the rule when system administrators use OpenSSL to generate password hashes for legitimate user account management. To handle this, create exceptions for specific administrator accounts or processes that are known to perform these tasks regularly. +- Automated scripts for user account provisioning or maintenance that utilize OpenSSL for password hashing can also cause false positives. Identify these scripts and exclude their execution paths or associated user accounts from the rule. +- Security tools or compliance checks that periodically verify password strength or integrity using OpenSSL might be flagged. Review these tools and whitelist their operations to prevent unnecessary alerts. +- Development environments where OpenSSL is used for testing password hashing functions can generate alerts. Exclude these environments or specific test accounts from monitoring to reduce noise. +- Scheduled tasks or cron jobs that involve OpenSSL for password management purposes should be identified and excluded if they are part of regular system operations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious OpenSSL processes identified by the detection rule to halt ongoing unauthorized password hash generation. +- Conduct a thorough review of user accounts on the affected system to identify any unauthorized accounts or changes to existing accounts, and revert any unauthorized modifications. +- Change passwords for all user accounts on the affected system, especially those with elevated privileges, to ensure that any compromised credentials are no longer valid. +- Implement additional monitoring on the affected system to detect any further unauthorized use of OpenSSL or similar tools, focusing on process execution and command-line arguments. +- Escalate the incident to the security operations team for a comprehensive investigation to determine the root cause and scope of the breach, and to assess potential impacts on other systems. +- Review and update access controls and authentication mechanisms to enhance security and prevent similar incidents in the future, ensuring that only authorized users can perform sensitive operations.""" risk_score = 21 rule_id = "f4b857b3-faef-430d-b420-90be48647f00" setup = """## Setup @@ -61,61 +101,29 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and process.name == "openssl" and process.args == "passwd" ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating OpenSSL Password Hash Generation - -OpenSSL is a robust cryptographic toolkit used for secure communications and data protection, including generating password hashes. Adversaries may exploit OpenSSL to create hashes for unauthorized user accounts or modify existing ones, aiding in persistent access to Linux systems. The detection rule identifies suspicious OpenSSL executions by monitoring specific process actions and arguments, flagging potential misuse for further investigation. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the "openssl" command with the "passwd" argument, as this indicates an attempt to generate a password hash. -- Identify the user account associated with the process execution to determine if the action was performed by a legitimate user or a potential adversary. -- Check the system logs and user activity around the time of the alert to identify any suspicious behavior or unauthorized access attempts. -- Investigate any recent changes to user accounts on the system, focusing on new account creations or password modifications that coincide with the alert. -- Correlate the alert with other security events or alerts from the same host to identify patterns or additional indicators of compromise. -- Assess the risk and impact of the detected activity by considering the context of the system and its role within the organization, as well as any potential data exposure or system access implications. - -### False positive analysis - -- Routine administrative tasks may trigger the rule when system administrators use OpenSSL to generate password hashes for legitimate user account management. To handle this, create exceptions for specific administrator accounts or processes that are known to perform these tasks regularly. -- Automated scripts for user account provisioning or maintenance that utilize OpenSSL for password hashing can also cause false positives. Identify these scripts and exclude their execution paths or associated user accounts from the rule. -- Security tools or compliance checks that periodically verify password strength or integrity using OpenSSL might be flagged. Review these tools and whitelist their operations to prevent unnecessary alerts. -- Development environments where OpenSSL is used for testing password hashing functions can generate alerts. Exclude these environments or specific test accounts from monitoring to reduce noise. -- Scheduled tasks or cron jobs that involve OpenSSL for password management purposes should be identified and excluded if they are part of regular system operations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious OpenSSL processes identified by the detection rule to halt ongoing unauthorized password hash generation. -- Conduct a thorough review of user accounts on the affected system to identify any unauthorized accounts or changes to existing accounts, and revert any unauthorized modifications. -- Change passwords for all user accounts on the affected system, especially those with elevated privileges, to ensure that any compromised credentials are no longer valid. -- Implement additional monitoring on the affected system to detect any further unauthorized use of OpenSSL or similar tools, focusing on process execution and command-line arguments. -- Escalate the incident to the security operations team for a comprehensive investigation to determine the root cause and scope of the breach, and to assess potential impacts on other systems. -- Review and update access controls and authentication mechanisms to enhance security and prevent similar incidents in the future, ensuring that only authorized users can perform sensitive operations.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml index a760ebe6b40..230bfedb129 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml @@ -2,9 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,6 +19,41 @@ index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endg language = "eql" license = "Elastic License v2" name = "Pluggable Authentication Module (PAM) Creation in Unusual Directory" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Pluggable Authentication Module (PAM) Creation in Unusual Directory + +Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating malicious modules in non-standard directories, aiming to gain persistence or capture credentials. The detection rule identifies such anomalies by monitoring the creation of PAM files outside typical system paths, excluding benign processes and known directories, thus highlighting potential threats. + +### Possible investigation steps + +- Review the file creation event details, focusing on the file path and name to determine the exact location and nature of the PAM shared object file created. +- Investigate the process that created the file by examining the process name and its parent process to understand the context and legitimacy of the file creation. +- Check the user account associated with the process that created the file to assess if it has the necessary permissions and if the activity aligns with typical user behavior. +- Analyze recent system logs and command history for any suspicious activities or commands that might indicate an attempt to compile or move PAM modules. +- Correlate the event with other security alerts or anomalies on the system to identify potential patterns or coordinated actions that could indicate a broader compromise. +- If possible, retrieve and analyze the contents of the PAM shared object file to identify any malicious code or indicators of compromise. + +### False positive analysis + +- Development and testing environments may compile PAM modules in temporary directories. To manage this, exclude paths commonly used for development, such as "/tmp/dev/*" or "/var/tmp/test/*". +- Containerized applications might create PAM modules in non-standard directories. Exclude processes like "dockerd" and "containerd" to prevent false positives from container operations. +- Package managers or system update tools may temporarily store PAM modules in unusual directories during updates. Exclude paths like "/var/cache/pacman/pkg/*" or "/var/lib/dpkg/tmp.ci/*" to avoid alerts during legitimate system updates. +- Custom scripts or automation tools might generate PAM modules in user-specific directories. Identify and exclude these specific scripts or paths if they are known to be safe and necessary for operations. +- Temporary backup or recovery operations might involve copying PAM modules to non-standard locations. Exclude paths used for backups, such as "/backup/*" or "/recovery/*", if these operations are verified as secure. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Conduct a thorough review of the unusual directory where the PAM file was created to identify any other suspicious files or activities, and remove any malicious files found. +- Analyze the process that created the PAM file to determine if it was initiated by a legitimate user or process, and terminate any malicious processes. +- Reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges or access to sensitive systems. +- Restore the affected system from a known good backup to ensure that no malicious modifications persist. +- Implement additional monitoring on the affected system and similar systems to detect any further attempts to create PAM files in unusual directories. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", @@ -43,6 +76,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and file.name like "pam_*.so" and not file.path like ( "/lib/security/*", @@ -59,64 +93,30 @@ file where host.os.type == "linux" and event.type == "creation" and file.name li ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Pluggable Authentication Module (PAM) Creation in Unusual Directory - -Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating malicious modules in non-standard directories, aiming to gain persistence or capture credentials. The detection rule identifies such anomalies by monitoring the creation of PAM files outside typical system paths, excluding benign processes and known directories, thus highlighting potential threats. - -### Possible investigation steps - -- Review the file creation event details, focusing on the file path and name to determine the exact location and nature of the PAM shared object file created. -- Investigate the process that created the file by examining the process name and its parent process to understand the context and legitimacy of the file creation. -- Check the user account associated with the process that created the file to assess if it has the necessary permissions and if the activity aligns with typical user behavior. -- Analyze recent system logs and command history for any suspicious activities or commands that might indicate an attempt to compile or move PAM modules. -- Correlate the event with other security alerts or anomalies on the system to identify potential patterns or coordinated actions that could indicate a broader compromise. -- If possible, retrieve and analyze the contents of the PAM shared object file to identify any malicious code or indicators of compromise. - -### False positive analysis - -- Development and testing environments may compile PAM modules in temporary directories. To manage this, exclude paths commonly used for development, such as "/tmp/dev/*" or "/var/tmp/test/*". -- Containerized applications might create PAM modules in non-standard directories. Exclude processes like "dockerd" and "containerd" to prevent false positives from container operations. -- Package managers or system update tools may temporarily store PAM modules in unusual directories during updates. Exclude paths like "/var/cache/pacman/pkg/*" or "/var/lib/dpkg/tmp.ci/*" to avoid alerts during legitimate system updates. -- Custom scripts or automation tools might generate PAM modules in user-specific directories. Identify and exclude these specific scripts or paths if they are known to be safe and necessary for operations. -- Temporary backup or recovery operations might involve copying PAM modules to non-standard locations. Exclude paths used for backups, such as "/backup/*" or "/recovery/*", if these operations are verified as secure. -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Conduct a thorough review of the unusual directory where the PAM file was created to identify any other suspicious files or activities, and remove any malicious files found. -- Analyze the process that created the PAM file to determine if it was initiated by a legitimate user or process, and terminate any malicious processes. -- Reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges or access to sensitive systems. -- Restore the affected system from a known good backup to ensure that no malicious modifications persist. -- Implement additional monitoring on the affected system and similar systems to detect any further attempts to create PAM files in unusual directories. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/persistence_polkit_policy_creation.toml b/rules/linux/persistence_polkit_policy_creation.toml index 6a62c799bb5..3c93c229162 100644 --- a/rules/linux/persistence_polkit_policy_creation.toml +++ b/rules/linux/persistence_polkit_policy_creation.toml @@ -2,22 +2,55 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/23" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -This rule monitors for the creation of Polkit policy files on Linux systems. Polkit policy files are used to -define the permissions for system-wide services and applications. The creation of new Polkit policy files may -indicate an attempt to modify the authentication process, which could be used for persistence by an adversary. +This rule monitors for the creation of Polkit policy files on Linux systems. Polkit policy files are used to define the +permissions for system-wide services and applications. The creation of new Polkit policy files may indicate an attempt +to modify the authentication process, which could be used for persistence by an adversary. """ from = "now-9m" index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Polkit Policy Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Polkit Policy Creation + +Polkit, or PolicyKit, is a system service in Linux environments that manages system-wide privileges, allowing non-privileged processes to communicate with privileged ones. Adversaries may exploit Polkit by creating or modifying policy files to gain unauthorized access or maintain persistence. The detection rule monitors the creation of these files in critical directories, excluding known legitimate processes, to identify potential malicious activity. + +### Possible investigation steps + +- Review the file path and extension to confirm if the created file is located in one of the critical directories specified in the query, such as /etc/polkit-1/rules.d/ or /usr/share/polkit-1/actions/. +- Identify the process executable responsible for the file creation and verify if it is listed in the exclusion list of known legitimate processes. If not, this may warrant further investigation. +- Check the timestamp of the file creation event to determine if it coincides with any known maintenance or update activities, which could explain the file creation. +- Investigate the user account associated with the process that created the file to determine if it has the necessary privileges and if the activity aligns with the user's typical behavior. +- Examine any recent changes or updates to the system that might have triggered the creation of the Polkit policy file, such as software installations or configuration changes. +- Look for any related alerts or logs that might indicate a broader pattern of suspicious activity, such as unauthorized access attempts or other policy modifications. + +### False positive analysis + +- System package managers like dpkg, rpm, and yum may create or modify Polkit policy files during legitimate software installations or updates. To handle these, ensure that the rule excludes processes associated with these package managers as specified in the rule's exception list. +- Container management tools such as Docker and Podman might also trigger false positives when managing containerized applications. Users should verify that these executables are included in the exclusion list to prevent unnecessary alerts. +- Automation tools like Puppet and Chef can modify policy files as part of their configuration management tasks. Confirm that these processes are part of the exclusion criteria to avoid false positives. +- Snap package installations and updates can lead to the creation of policy files. Ensure that paths related to Snap are covered in the exclusion patterns to minimize false alerts. +- Virtualization software such as VirtualBox may interact with Polkit policy files. Users should check that relevant paths and executables are included in the exceptions to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified as creating or modifying Polkit policy files, especially those not listed in the known legitimate processes. +- Review and restore the integrity of the Polkit policy files by comparing them against a known good baseline or backup to ensure no unauthorized changes persist. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. +- Implement additional monitoring on the affected system and similar systems to detect any further attempts to create or modify Polkit policy files. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. +- Review and update access controls and permissions related to Polkit policy files to ensure only authorized processes and users can create or modify these files, reducing the risk of future exploitation.""" risk_score = 21 rule_id = "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f" severity = "low" @@ -34,6 +67,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.extension in ("rules", "pkla", "policy") and file.path like~ ( @@ -69,64 +103,30 @@ process.executable like~ ( ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Polkit Policy Creation - -Polkit, or PolicyKit, is a system service in Linux environments that manages system-wide privileges, allowing non-privileged processes to communicate with privileged ones. Adversaries may exploit Polkit by creating or modifying policy files to gain unauthorized access or maintain persistence. The detection rule monitors the creation of these files in critical directories, excluding known legitimate processes, to identify potential malicious activity. - -### Possible investigation steps - -- Review the file path and extension to confirm if the created file is located in one of the critical directories specified in the query, such as /etc/polkit-1/rules.d/ or /usr/share/polkit-1/actions/. -- Identify the process executable responsible for the file creation and verify if it is listed in the exclusion list of known legitimate processes. If not, this may warrant further investigation. -- Check the timestamp of the file creation event to determine if it coincides with any known maintenance or update activities, which could explain the file creation. -- Investigate the user account associated with the process that created the file to determine if it has the necessary privileges and if the activity aligns with the user's typical behavior. -- Examine any recent changes or updates to the system that might have triggered the creation of the Polkit policy file, such as software installations or configuration changes. -- Look for any related alerts or logs that might indicate a broader pattern of suspicious activity, such as unauthorized access attempts or other policy modifications. - -### False positive analysis - -- System package managers like dpkg, rpm, and yum may create or modify Polkit policy files during legitimate software installations or updates. To handle these, ensure that the rule excludes processes associated with these package managers as specified in the rule's exception list. -- Container management tools such as Docker and Podman might also trigger false positives when managing containerized applications. Users should verify that these executables are included in the exclusion list to prevent unnecessary alerts. -- Automation tools like Puppet and Chef can modify policy files as part of their configuration management tasks. Confirm that these processes are part of the exclusion criteria to avoid false positives. -- Snap package installations and updates can lead to the creation of policy files. Ensure that paths related to Snap are covered in the exclusion patterns to minimize false alerts. -- Virtualization software such as VirtualBox may interact with Polkit policy files. Users should check that relevant paths and executables are included in the exceptions to reduce false positives. -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified as creating or modifying Polkit policy files, especially those not listed in the known legitimate processes. -- Review and restore the integrity of the Polkit policy files by comparing them against a known good baseline or backup to ensure no unauthorized changes persist. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. -- Implement additional monitoring on the affected system and similar systems to detect any further attempts to create or modify Polkit policy files. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. -- Review and update access controls and permissions related to Polkit policy files to ensure only authorized processes and users can create or modify these files, reducing the risk of future exploitation.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index 02f1b624b3c..d403890c025 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,40 @@ index = ["logs-endpoint.events.process*", "endgame-*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Executable Bit Set for Potential Persistence Script" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Executable Bit Set for Potential Persistence Script + +In Linux environments, scripts with executable permissions can be used to automate tasks, including system start-up processes. Adversaries exploit this by setting executable bits on scripts in directories typically used for persistence, allowing malicious code to run automatically. The detection rule identifies such activities by monitoring for changes in executable permissions in these directories, signaling potential unauthorized persistence attempts. + +### Possible investigation steps + +- Review the process details to identify the specific script or file that had its executable bit set, focusing on the process.args field to determine the exact file path. +- Examine the process.parent.executable field to understand the parent process that initiated the permission change, which can provide context on whether the action was part of a legitimate process or potentially malicious activity. +- Check the user account associated with the process to determine if the action was performed by a legitimate user or a compromised account. +- Investigate the history of the file in question, including recent modifications and the creation date, to assess if it aligns with known system changes or updates. +- Analyze the contents of the script or file to identify any suspicious or unauthorized code that could indicate malicious intent. +- Correlate this event with other recent alerts or logs from the same host to identify patterns or additional indicators of compromise that may suggest a broader persistence mechanism. + +### False positive analysis + +- System administrators or automated scripts may legitimately change executable permissions in directories like /etc/init.d or /etc/cron* for maintenance or updates. To handle these, create exceptions for known administrative scripts or processes that regularly perform these actions. +- Software installations or updates might trigger this rule when they modify startup scripts or configuration files. Users can mitigate this by excluding processes originating from trusted package managers or installation paths, such as /var/lib/dpkg. +- Custom user scripts in home directories, especially in /home/*/.config/autostart, may be flagged if users set them to run at startup. To reduce false positives, maintain a whitelist of user scripts that are known and approved for startup execution. +- Security tools or monitoring solutions might adjust permissions as part of their operations. Identify these tools and exclude their processes from triggering the rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert that are associated with unauthorized script execution. +- Remove or disable the executable permissions on the identified scripts to prevent further unauthorized execution. +- Conduct a thorough review of the affected directories to identify and remove any additional unauthorized scripts or files. +- Restore any modified system files or configurations from a known good backup to ensure system integrity. +- Monitor the system for any signs of re-infection or further unauthorized changes, focusing on the directories and processes highlighted in the alert. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", @@ -90,40 +122,6 @@ process.args : ( process.command_line in ("chmod 777 /etc/update-motd.d/", "chmod 755 /etc/update-motd.d/") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Executable Bit Set for Potential Persistence Script - -In Linux environments, scripts with executable permissions can be used to automate tasks, including system start-up processes. Adversaries exploit this by setting executable bits on scripts in directories typically used for persistence, allowing malicious code to run automatically. The detection rule identifies such activities by monitoring for changes in executable permissions in these directories, signaling potential unauthorized persistence attempts. - -### Possible investigation steps - -- Review the process details to identify the specific script or file that had its executable bit set, focusing on the process.args field to determine the exact file path. -- Examine the process.parent.executable field to understand the parent process that initiated the permission change, which can provide context on whether the action was part of a legitimate process or potentially malicious activity. -- Check the user account associated with the process to determine if the action was performed by a legitimate user or a compromised account. -- Investigate the history of the file in question, including recent modifications and the creation date, to assess if it aligns with known system changes or updates. -- Analyze the contents of the script or file to identify any suspicious or unauthorized code that could indicate malicious intent. -- Correlate this event with other recent alerts or logs from the same host to identify patterns or additional indicators of compromise that may suggest a broader persistence mechanism. - -### False positive analysis - -- System administrators or automated scripts may legitimately change executable permissions in directories like /etc/init.d or /etc/cron* for maintenance or updates. To handle these, create exceptions for known administrative scripts or processes that regularly perform these actions. -- Software installations or updates might trigger this rule when they modify startup scripts or configuration files. Users can mitigate this by excluding processes originating from trusted package managers or installation paths, such as /var/lib/dpkg. -- Custom user scripts in home directories, especially in /home/*/.config/autostart, may be flagged if users set them to run at startup. To reduce false positives, maintain a whitelist of user scripts that are known and approved for startup execution. -- Security tools or monitoring solutions might adjust permissions as part of their operations. Identify these tools and exclude their processes from triggering the rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert that are associated with unauthorized script execution. -- Remove or disable the executable permissions on the identified scripts to prevent further unauthorized execution. -- Conduct a thorough review of the affected directories to identify and remove any additional unauthorized scripts or files. -- Restore any modified system files or configurations from a known good backup to ensure system integrity. -- Monitor the system for any signs of re-infection or further unauthorized changes, focusing on the directories and processes highlighted in the alert. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml index 7064135fca3..c1efe8be0ca 100644 --- a/rules/linux/persistence_process_capability_set_via_setcap.toml +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,39 @@ index = ["logs-endpoint.events.process*", "endgame-*", "logs-sentinel_one_cloud_ language = "eql" license = "Elastic License v2" name = "Process Capability Set via setcap Utility" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Process Capability Set via setcap Utility + +The `setcap` utility in Linux assigns specific capabilities to executables, allowing them to perform privileged tasks without full root access. While beneficial for security, adversaries can exploit this to maintain persistence or escalate privileges by misconfiguring capabilities. The detection rule identifies suspicious `setcap` usage by monitoring process execution patterns, excluding benign parent processes, to flag potential misuse. + +### Possible investigation steps + +- Review the process execution details to confirm the use of the setcap utility, focusing on the process name and event action fields to ensure the alert is not a false positive. +- Investigate the parent process executable and name to determine if the setcap command was executed by a potentially malicious or unexpected process, especially if it is not among the excluded benign parent processes. +- Check the capabilities that were set by the setcap command to assess if they could allow privilege escalation or persistence, and determine if they align with normal operational requirements. +- Examine the timeline of events around the setcap execution to identify any preceding or subsequent suspicious activities that might indicate a broader attack or compromise. +- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that could suggest a coordinated attack. + +### False positive analysis + +- Legitimate software installations or updates may trigger the rule when package managers like dpkg or Docker set capabilities during their processes. To handle this, exclude paths such as /var/lib/dpkg/* and /var/lib/docker/* from the detection rule. +- Development environments or containerized applications might use setcap for testing purposes. Exclude processes originating from /tmp/newroot/* and /var/tmp/newroot/* to reduce noise from these environments. +- Custom scripts or administrative tools that use setcap for legitimate configuration tasks can be excluded by identifying their parent process names and adding them to the exclusion list, similar to the existing exclusions for jem and vzctl. +- Regular audits of the exclusion list should be conducted to ensure that no malicious processes are inadvertently whitelisted, maintaining a balance between reducing false positives and ensuring security. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the attacker. +- Terminate any suspicious processes associated with the `setcap` utility that are not part of legitimate administrative tasks. +- Review and remove any unnecessary capabilities set on executables using the `setcap` utility to prevent privilege escalation. +- Conduct a thorough audit of the system to identify any backdoors or unauthorized changes made by the attacker, and remove them. +- Restore affected systems from a known good backup if unauthorized changes or persistent threats are detected. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. +- Implement enhanced monitoring and logging for `setcap` usage and similar privilege escalation attempts to improve future detection capabilities.""" risk_score = 21 rule_id = "f18a474c-3632-427f-bcf5-363c994309ee" setup = """## Setup @@ -57,10 +88,11 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.name == "setcap" and not ( @@ -69,39 +101,7 @@ process.name == "setcap" and not ( process.parent.name in ("jem", "vzctl") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Process Capability Set via setcap Utility - -The `setcap` utility in Linux assigns specific capabilities to executables, allowing them to perform privileged tasks without full root access. While beneficial for security, adversaries can exploit this to maintain persistence or escalate privileges by misconfiguring capabilities. The detection rule identifies suspicious `setcap` usage by monitoring process execution patterns, excluding benign parent processes, to flag potential misuse. - -### Possible investigation steps - -- Review the process execution details to confirm the use of the setcap utility, focusing on the process name and event action fields to ensure the alert is not a false positive. -- Investigate the parent process executable and name to determine if the setcap command was executed by a potentially malicious or unexpected process, especially if it is not among the excluded benign parent processes. -- Check the capabilities that were set by the setcap command to assess if they could allow privilege escalation or persistence, and determine if they align with normal operational requirements. -- Examine the timeline of events around the setcap execution to identify any preceding or subsequent suspicious activities that might indicate a broader attack or compromise. -- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that could suggest a coordinated attack. - -### False positive analysis -- Legitimate software installations or updates may trigger the rule when package managers like dpkg or Docker set capabilities during their processes. To handle this, exclude paths such as /var/lib/dpkg/* and /var/lib/docker/* from the detection rule. -- Development environments or containerized applications might use setcap for testing purposes. Exclude processes originating from /tmp/newroot/* and /var/tmp/newroot/* to reduce noise from these environments. -- Custom scripts or administrative tools that use setcap for legitimate configuration tasks can be excluded by identifying their parent process names and adding them to the exclusion list, similar to the existing exclusions for jem and vzctl. -- Regular audits of the exclusion list should be conducted to ensure that no malicious processes are inadvertently whitelisted, maintaining a balance between reducing false positives and ensuring security. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the attacker. -- Terminate any suspicious processes associated with the `setcap` utility that are not part of legitimate administrative tasks. -- Review and remove any unnecessary capabilities set on executables using the `setcap` utility to prevent privilege escalation. -- Conduct a thorough audit of the system to identify any backdoors or unauthorized changes made by the attacker, and remove them. -- Restore affected systems from a known good backup if unauthorized changes or persistent threats are detected. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. -- Implement enhanced monitoring and logging for `setcap` usage and similar privilege escalation attempts to improve future detection capabilities.""" [[rule.threat]] framework = "MITRE ATT&CK" @@ -110,7 +110,6 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -118,3 +117,4 @@ framework = "MITRE ATT&CK" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index bdf350753c0..217e73483b5 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/26" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -18,6 +18,41 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Python Path File (pth) Creation" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Python Path File (pth) Creation + +Python Path Files (.pth) are used to automatically execute code when the Python interpreter starts, making them a potential target for adversaries seeking persistence. Attackers can exploit .pth files by placing malicious code in directories where Python packages reside, ensuring execution each time Python runs. The detection rule monitors the creation and renaming of .pth files in key directories, excluding legitimate processes, to identify unauthorized modifications indicative of malicious activity. + +### Possible investigation steps + +- Review the file path where the .pth file was created or renamed to determine if it is within a legitimate Python package directory, as specified in the query paths. +- Identify the process executable responsible for the creation or renaming of the .pth file and verify if it is listed as an excluded legitimate process in the query. +- Investigate the parent process of the identified executable to understand the context of the .pth file creation and assess if it aligns with expected behavior. +- Check the timestamp of the .pth file creation or renaming event to correlate with any known scheduled tasks or user activities. +- Examine the contents of the .pth file to identify any suspicious or unauthorized code that could indicate malicious intent. +- Review recent system logs and user activity around the time of the event to identify any anomalies or unauthorized access attempts. + +### False positive analysis + +- Legitimate package installations or updates using package managers like pip or poetry can trigger false positives. To handle this, ensure that the process executables for these package managers are included in the exclusion list. +- Automated scripts or CI/CD pipelines that manage Python environments might create or rename .pth files. Identify these scripts and add their executables to the exclusion list to prevent unnecessary alerts. +- System updates or maintenance tasks that involve Python package directories can also result in false positives. Monitor these activities and temporarily adjust the rule or add specific system maintenance processes to the exclusion list. +- Custom Python applications that manage dependencies or configurations through .pth files may cause alerts. Review these applications and consider adding their specific paths or executables to the exclusion criteria. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further execution of potentially malicious code. +- Identify and terminate any suspicious processes associated with the creation or modification of .pth files, especially those not matching the legitimate process list. +- Remove any unauthorized .pth files from the identified directories to eliminate the persistence mechanism. +- Conduct a thorough review of recent changes to the Python environment and installed packages to identify any malicious or unauthorized modifications. +- Restore affected systems from a known good backup if malicious activity is confirmed and cannot be fully remediated. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and alerting for future unauthorized .pth file modifications to quickly detect similar threats. +""" references = [ "https://dfir.ch/posts/publish_python_pth_extension/", "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/", @@ -57,7 +92,8 @@ tags = [ "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index f281b3b7e24..64bcaa630b4 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,12 @@ file owner or group. Threat actors can exploit these attributes to achieve persi allowing them to maintain control over a compromised system with elevated permissions. """ from = "now-9m" -index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Setcap setuid/setgid Capability Set" @@ -146,6 +149,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -155,6 +159,7 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -162,21 +167,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 20cd6be2503..b61d0740084 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/03/11" [transform] [[transform.osquery]] @@ -160,17 +160,20 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' -host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and -file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( +host.os.type:"linux" and event.action:("creation" or "file_create_event" or "file_rename_event" or "rename" or "file_write_event") and +(file.extension:"so" or file.name:*.so.*) and +file.path:( + /dev/shm/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/* or /lib/x86_64-linux-gnu/* or + /usr/lib/x86_64-linux-gnu/* or /lib/i386-linux-gnu/* or /usr/lib/i386-linux-gnu/* or /lib/* or /lib64/* +) and not ( process.name:( "dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or - "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or - "installer.bin.inst" or "uninstall-bin" or "linux_agent.inst" or crio or ssm-agent-worker or packagekitd + "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or "crio" or "packagekitd" ) or - (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or + (process.name:"vmware-install.pl" and file.path:/usr/lib/vmware-tools/*) or + (process.name:"ssm-agent-worker" and file.path:/usr/lib/jvm/java*) or process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah") ) ''' diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index 8628309fc60..7f31d6c923a 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,50 @@ simple HTTP web servers to establish persistence on a compromised system by uplo to the server web root, allowing them to regain remote access to the system if lost. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = [ + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Simple HTTP Web Server Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Simple HTTP Web Server Creation + +Simple HTTP web servers, often created using PHP or Python, are lightweight and easy to deploy, making them ideal for quick file sharing or testing. However, adversaries exploit this simplicity to establish persistence on compromised Linux systems. By deploying a web server, they can upload malicious payloads, such as reverse shells, to maintain remote access. The detection rule identifies suspicious server creation by monitoring process executions that match specific patterns, such as PHP or Python commands indicative of server setup, thereby alerting analysts to potential threats. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of PHP or Python commands with arguments matching the patterns specified in the query, such as PHP with the "-S" argument or Python with "--cgi" or "CGIHTTPServer". +- Identify the user account under which the suspicious process was executed to determine if it aligns with expected behavior or if it indicates potential compromise. +- Examine the network activity associated with the process to identify any unusual connections or data transfers that could suggest malicious intent or data exfiltration. +- Check the file system for any newly created or modified files in the web server's root directory that could contain malicious payloads, such as reverse shells. +- Investigate the parent process of the suspicious server creation to understand how the process was initiated and whether it was triggered by another potentially malicious activity. +- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities. + +### False positive analysis + +- Development and testing environments often use simple HTTP servers for legitimate purposes such as serving static files or testing web applications. To manage this, create exceptions for known development directories or user accounts frequently involved in these activities. +- Automated scripts or cron jobs may start simple HTTP servers for routine tasks like file distribution or internal data sharing. Identify these scripts and exclude their execution paths or associated user accounts from triggering alerts. +- Educational or training sessions might involve setting up simple HTTP servers as part of learning exercises. Exclude specific IP ranges or user groups associated with training environments to prevent false positives. +- System administrators might use simple HTTP servers for quick troubleshooting or system maintenance tasks. Document these activities and create exceptions based on the administrator's user accounts or specific server names. +- Continuous integration and deployment pipelines may temporarily start HTTP servers during build or deployment processes. Identify these pipelines and exclude their associated processes or execution contexts from the detection rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious PHP or Python processes identified by the detection rule to halt the operation of the unauthorized web server. +- Conduct a thorough examination of the web server's root directory to identify and remove any malicious payloads, such as reverse shells or unauthorized scripts. +- Review system logs and network traffic to identify any additional indicators of compromise or lateral movement attempts by the adversary. +- Restore the system from a known good backup if any critical system files or configurations have been altered by the adversary. +- Implement stricter access controls and monitoring on the affected system to prevent similar unauthorized server setups in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" risk_score = 21 rule_id = "907a26f5-3eb6-4338-a70e-6c375c1cde8a" setup = """## Setup @@ -61,6 +99,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -70,87 +109,52 @@ process where host.os.type == "linux" and event.type == "start" and ) and not process.parent.name in ("check_kmp_wrapper", "naemon") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Simple HTTP Web Server Creation -Simple HTTP web servers, often created using PHP or Python, are lightweight and easy to deploy, making them ideal for quick file sharing or testing. However, adversaries exploit this simplicity to establish persistence on compromised Linux systems. By deploying a web server, they can upload malicious payloads, such as reverse shells, to maintain remote access. The detection rule identifies suspicious server creation by monitoring process executions that match specific patterns, such as PHP or Python commands indicative of server setup, thereby alerting analysts to potential threats. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of PHP or Python commands with arguments matching the patterns specified in the query, such as PHP with the "-S" argument or Python with "--cgi" or "CGIHTTPServer". -- Identify the user account under which the suspicious process was executed to determine if it aligns with expected behavior or if it indicates potential compromise. -- Examine the network activity associated with the process to identify any unusual connections or data transfers that could suggest malicious intent or data exfiltration. -- Check the file system for any newly created or modified files in the web server's root directory that could contain malicious payloads, such as reverse shells. -- Investigate the parent process of the suspicious server creation to understand how the process was initiated and whether it was triggered by another potentially malicious activity. -- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities. - -### False positive analysis - -- Development and testing environments often use simple HTTP servers for legitimate purposes such as serving static files or testing web applications. To manage this, create exceptions for known development directories or user accounts frequently involved in these activities. -- Automated scripts or cron jobs may start simple HTTP servers for routine tasks like file distribution or internal data sharing. Identify these scripts and exclude their execution paths or associated user accounts from triggering alerts. -- Educational or training sessions might involve setting up simple HTTP servers as part of learning exercises. Exclude specific IP ranges or user groups associated with training environments to prevent false positives. -- System administrators might use simple HTTP servers for quick troubleshooting or system maintenance tasks. Document these activities and create exceptions based on the administrator's user accounts or specific server names. -- Continuous integration and deployment pipelines may temporarily start HTTP servers during build or deployment processes. Identify these pipelines and exclude their associated processes or execution contexts from the detection rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious PHP or Python processes identified by the detection rule to halt the operation of the unauthorized web server. -- Conduct a thorough examination of the web server's root directory to identify and remove any malicious payloads, such as reverse shells or unauthorized scripts. -- Review system logs and network traffic to identify any additional indicators of compromise or lateral movement attempts by the adversary. -- Restore the system from a known good backup if any critical system files or configurations have been altered by the adversary. -- Implement stricter access controls and monitoring on the affected system to prevent similar unauthorized server setups in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat.technique]] - id = "T1505" - name = "Server Software Component" - reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] - id = "T1505.003" - name = "Web Shell" - reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index a84959da147..776f30311ab 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/26" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -17,6 +17,41 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Python Site or User Customize File Creation" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Python Site or User Customize File Creation + +Python's `sitecustomize.py` and `usercustomize.py` are scripts that execute automatically when Python starts, allowing for environment-specific customizations. Adversaries can exploit these files to maintain persistence by injecting malicious code. The detection rule monitors file creation and modification in key directories, excluding benign processes, to identify unauthorized changes indicative of potential backdooring or persistence attempts. + +### Possible investigation steps + +- Review the file path where the creation or modification was detected to determine if it is a system-wide, user-specific, or virtual environment location, as specified in the query. +- Identify the process executable responsible for the file creation or modification and verify if it is listed in the exclusion list of benign processes. If not, investigate the process for potential malicious activity. +- Check the timestamp of the file creation or modification event to correlate with any other suspicious activities or alerts on the system around the same time. +- Examine the contents of the sitecustomize.py or usercustomize.py file for any unauthorized or suspicious code that could indicate persistence mechanisms or backdooring attempts. +- Investigate the user account associated with the file creation or modification event to determine if the activity aligns with expected behavior or if it suggests potential compromise. +- Review system logs and other security alerts for additional context or indicators of compromise related to the detected event. + +### False positive analysis + +- Package managers like pip and poetry can trigger false positives when they create or modify sitecustomize.py or usercustomize.py during package installations or updates. To handle this, ensure these processes are included in the exclusion list within the detection rule. +- System updates or software installations that involve Python libraries might also lead to false positives. Regularly review and update the exclusion list to include known benign processes such as pacman or restic that are part of routine system maintenance. +- Custom scripts or automation tools that use Python to manage environments could inadvertently modify these files. Identify and exclude these specific scripts or tools if they are verified as non-malicious. +- Virtual environments often involve the creation of sitecustomize.py for environment-specific configurations. Consider excluding the virtual environment's Python executables if they are part of a controlled and secure development process. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or spread of malicious code. +- Review the contents of the `sitecustomize.py` and `usercustomize.py` files for any unauthorized or suspicious code. Remove any malicious code identified. +- Restore the affected files from a known good backup if available, ensuring that the restored files are free from unauthorized modifications. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. +- Monitor the system and network for any signs of continued unauthorized access or attempts to modify the `sitecustomize.py` and `usercustomize.py` files. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring and alerting for changes to critical Python directories and files to enhance detection of similar threats in the future. +""" risk_score = 21 rule_id = "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8" setup = """## Setup @@ -52,7 +87,8 @@ tags = [ "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_ssh_key_generation.toml b/rules/linux/persistence_ssh_key_generation.toml index 15c65e37d54..e8f2c4ff724 100644 --- a/rules/linux/persistence_ssh_key_generation.toml +++ b/rules/linux/persistence_ssh_key_generation.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,29 +17,6 @@ index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_fun language = "eql" license = "Elastic License v2" name = "SSH Key Generated via ssh-keygen" -references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] -risk_score = 21 -rule_id = "7df3cb8b-5c0c-4228-b772-bb6cd619053c" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and -process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and -not file.name : "known_hosts.*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +52,29 @@ SSH keys, created using the ssh-keygen tool, are essential for secure authentica - Monitor network traffic and system logs for any signs of further unauthorized access attempts or suspicious activity related to SSH. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Implement additional monitoring and alerting for SSH key generation activities across the network to enhance detection of similar threats in the future.""" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] +risk_score = 21 +rule_id = "7df3cb8b-5c0c-4228-b772-bb6cd619053c" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and +process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and +not file.name : "known_hosts.*" +''' [[rule.threat]] diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index 2dfb4da2e50..a3db7c8cbe3 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,6 +19,41 @@ language = "eql" license = "Elastic License v2" max_signals = 1 name = "Potential Suspicious File Edit" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Suspicious File Edit + +In Linux environments, text editors create temporary swap files (.swp) during file editing. Adversaries exploit this by editing critical system files to maintain persistence or escalate privileges. The detection rule identifies the creation of .swp files in sensitive directories, signaling potential unauthorized file edits, thus alerting analysts to investigate further. + +### Possible investigation steps + +- Review the alert details to identify the specific file path and name of the .swp file that triggered the alert, focusing on the directories and files listed in the query. +- Check the system logs and recent user activity to determine if there was any legitimate reason for editing the file, such as a scheduled maintenance or update. +- Investigate the user account associated with the file creation event to verify if the user has the necessary permissions and if their activity aligns with their role. +- Examine the contents of the original file (if accessible) and compare it with known baselines or backups to identify any unauthorized changes or anomalies. +- Look for other suspicious activities on the host, such as unusual login attempts, privilege escalation events, or the presence of other temporary files in sensitive directories. +- Assess the system for signs of persistence mechanisms or privilege escalation attempts, especially if the .swp file is associated with critical system files like /etc/shadow or /etc/passwd. + +### False positive analysis + +- Editing non-sensitive files in monitored directories can trigger alerts. Users can create exceptions for specific directories or files that are frequently edited by authorized personnel. +- System administrators performing routine maintenance or updates may inadvertently create .swp files in sensitive directories. Implementing a whitelist for known maintenance activities can reduce false positives. +- Automated scripts or applications that open files in monitored directories for legitimate purposes can cause alerts. Identifying and excluding these processes from monitoring can help manage false positives. +- Developers working on configuration files in their home directories might trigger alerts. Excluding specific user directories or known development environments can mitigate these occurrences. +- Regular system updates or package installations might create temporary .swp files. Monitoring these activities and correlating them with update schedules can help distinguish between legitimate and suspicious activities. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate any suspicious processes associated with the creation of the .swp files in sensitive directories to halt any ongoing malicious activity. +- Restore the affected files from a known good backup to ensure system integrity and remove any unauthorized changes. +- Conduct a thorough review of user accounts and permissions, especially those with elevated privileges, to identify and revoke any unauthorized access. +- Implement additional monitoring on the affected system and similar environments to detect any further attempts to edit critical files. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. +- Review and update system hardening measures, such as file permissions and access controls, to prevent similar incidents in the future.""" risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" severity = "low" @@ -59,41 +92,6 @@ file.path : ( "/root/*.zshrc.swp", "/root/*.zlogin.swp", "/root/*.tcshrc.swp", "/root/*.kshrc.swp", "/root/*.config.fish.swp" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Suspicious File Edit - -In Linux environments, text editors create temporary swap files (.swp) during file editing. Adversaries exploit this by editing critical system files to maintain persistence or escalate privileges. The detection rule identifies the creation of .swp files in sensitive directories, signaling potential unauthorized file edits, thus alerting analysts to investigate further. - -### Possible investigation steps - -- Review the alert details to identify the specific file path and name of the .swp file that triggered the alert, focusing on the directories and files listed in the query. -- Check the system logs and recent user activity to determine if there was any legitimate reason for editing the file, such as a scheduled maintenance or update. -- Investigate the user account associated with the file creation event to verify if the user has the necessary permissions and if their activity aligns with their role. -- Examine the contents of the original file (if accessible) and compare it with known baselines or backups to identify any unauthorized changes or anomalies. -- Look for other suspicious activities on the host, such as unusual login attempts, privilege escalation events, or the presence of other temporary files in sensitive directories. -- Assess the system for signs of persistence mechanisms or privilege escalation attempts, especially if the .swp file is associated with critical system files like /etc/shadow or /etc/passwd. - -### False positive analysis - -- Editing non-sensitive files in monitored directories can trigger alerts. Users can create exceptions for specific directories or files that are frequently edited by authorized personnel. -- System administrators performing routine maintenance or updates may inadvertently create .swp files in sensitive directories. Implementing a whitelist for known maintenance activities can reduce false positives. -- Automated scripts or applications that open files in monitored directories for legitimate purposes can cause alerts. Identifying and excluding these processes from monitoring can help manage false positives. -- Developers working on configuration files in their home directories might trigger alerts. Excluding specific user directories or known development environments can mitigate these occurrences. -- Regular system updates or package installations might create temporary .swp files. Monitoring these activities and correlating them with update schedules can help distinguish between legitimate and suspicious activities. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. -- Terminate any suspicious processes associated with the creation of the .swp files in sensitive directories to halt any ongoing malicious activity. -- Restore the affected files from a known good backup to ensure system integrity and remove any unauthorized changes. -- Conduct a thorough review of user accounts and permissions, especially those with elevated privileges, to identify and revoke any unauthorized access. -- Implement additional monitoring on the affected system and similar environments to detect any further attempts to edit critical files. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. -- Review and update system hardening measures, such as file permissions and access controls, to prevent similar incidents in the future.""" [[rule.threat]] diff --git a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml index 2ff447924d2..185fac40937 100644 --- a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml +++ b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml @@ -2,17 +2,15 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ This rule detects the unpacking of an initramfs image using the `unmkinitramfs` command on Linux systems. The -`unmkinitramfs` command is used to extract the contents of an initramfs image, which is used to boot the -system. Attackers may use `unmkinitramfs` to unpack an initramfs image and modify its contents to include -malicious code or backdoors, allowing them to maintain persistence on the system. +`unmkinitramfs` command is used to extract the contents of an initramfs image, which is used to boot the system. +Attackers may use `unmkinitramfs` to unpack an initramfs image and modify its contents to include malicious code or +backdoors, allowing them to maintain persistence on the system. """ from = "now-9m" index = [ @@ -21,11 +19,44 @@ index = [ "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", - "logs-sentinel_one_cloud_funnel.*" + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" name = "Initramfs Unpacking via unmkinitramfs" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Initramfs Unpacking via unmkinitramfs + +Initramfs is a crucial component in Linux boot processes, containing essential drivers and scripts. The `unmkinitramfs` tool extracts its contents, which attackers might exploit to insert malicious code, ensuring persistence. The detection rule identifies the execution of `unmkinitramfs`, flagging potential unauthorized modifications by monitoring process initiation events on Linux systems. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the unmkinitramfs command, focusing on the process.name field to ensure it matches "unmkinitramfs". +- Check the user context under which the unmkinitramfs command was executed to determine if it aligns with expected administrative activities or if it was run by an unauthorized user. +- Investigate the parent process of the unmkinitramfs execution to understand how the command was initiated and if it was part of a legitimate script or an unexpected process chain. +- Examine recent system logs and audit logs for any other suspicious activities or anomalies around the time of the unmkinitramfs execution, such as unauthorized access attempts or changes to critical system files. +- Assess the integrity of the initramfs image by comparing it with a known good version, if available, to identify any unauthorized modifications or inclusions of malicious code. + +### False positive analysis + +- Routine system maintenance or updates may trigger the rule when legitimate processes unpack initramfs for kernel updates. Users can create exceptions for known maintenance scripts or processes that regularly perform these actions. +- Automated backup or recovery solutions might use unmkinitramfs to verify or restore system images. Identify and exclude these processes if they are part of trusted backup operations. +- Developers or system administrators testing or customizing initramfs images for legitimate purposes could trigger the rule. Establish a whitelist for specific user accounts or scripts that are authorized to perform these tasks. +- Security tools or monitoring solutions that analyze initramfs contents for integrity checks might inadvertently trigger the rule. Ensure these tools are recognized and excluded from detection to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the attacker. +- Terminate any suspicious processes related to `unmkinitramfs` to halt any ongoing malicious activity. +- Conduct a thorough review of the initramfs image and its contents to identify and remove any unauthorized modifications or malicious code. +- Restore the initramfs image from a known good backup to ensure system integrity and remove any potential backdoors. +- Monitor the system for any further attempts to execute `unmkinitramfs` and investigate any such occurrences to determine if they are legitimate or part of an ongoing attack. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected. +- Implement additional logging and monitoring for process execution events on Linux systems to enhance detection capabilities for similar threats in the future.""" risk_score = 21 rule_id = "c5fc788c-7576-4a02-b3d6-d2c016eb85a6" setup = """## Setup @@ -64,48 +95,16 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and process.name == "unmkinitramfs" ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Initramfs Unpacking via unmkinitramfs - -Initramfs is a crucial component in Linux boot processes, containing essential drivers and scripts. The `unmkinitramfs` tool extracts its contents, which attackers might exploit to insert malicious code, ensuring persistence. The detection rule identifies the execution of `unmkinitramfs`, flagging potential unauthorized modifications by monitoring process initiation events on Linux systems. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the unmkinitramfs command, focusing on the process.name field to ensure it matches "unmkinitramfs". -- Check the user context under which the unmkinitramfs command was executed to determine if it aligns with expected administrative activities or if it was run by an unauthorized user. -- Investigate the parent process of the unmkinitramfs execution to understand how the command was initiated and if it was part of a legitimate script or an unexpected process chain. -- Examine recent system logs and audit logs for any other suspicious activities or anomalies around the time of the unmkinitramfs execution, such as unauthorized access attempts or changes to critical system files. -- Assess the integrity of the initramfs image by comparing it with a known good version, if available, to identify any unauthorized modifications or inclusions of malicious code. - -### False positive analysis - -- Routine system maintenance or updates may trigger the rule when legitimate processes unpack initramfs for kernel updates. Users can create exceptions for known maintenance scripts or processes that regularly perform these actions. -- Automated backup or recovery solutions might use unmkinitramfs to verify or restore system images. Identify and exclude these processes if they are part of trusted backup operations. -- Developers or system administrators testing or customizing initramfs images for legitimate purposes could trigger the rule. Establish a whitelist for specific user accounts or scripts that are authorized to perform these tasks. -- Security tools or monitoring solutions that analyze initramfs contents for integrity checks might inadvertently trigger the rule. Ensure these tools are recognized and excluded from detection to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the attacker. -- Terminate any suspicious processes related to `unmkinitramfs` to halt any ongoing malicious activity. -- Conduct a thorough review of the initramfs image and its contents to identify and remove any unauthorized modifications or malicious code. -- Restore the initramfs image from a known good backup to ensure system integrity and remove any potential backdoors. -- Monitor the system for any further attempts to execute `unmkinitramfs` and investigate any such occurrences to determine if they are legitimate or part of an ongoing attack. -- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected. -- Implement additional logging and monitoring for process execution events on Linux systems to enhance detection capabilities for similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -121,29 +120,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -151,3 +149,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_user_credential_modification_via_echo.toml b/rules/linux/persistence_user_credential_modification_via_echo.toml index 472624def9b..60dd97ca1e7 100644 --- a/rules/linux/persistence_user_credential_modification_via_echo.toml +++ b/rules/linux/persistence_user_credential_modification_via_echo.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -16,6 +16,41 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Linux User Account Credential Modification" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Linux User Account Credential Modification + +In Linux environments, user account credentials are crucial for system access and management. Adversaries may exploit command-line utilities to modify credentials, often using scripts to automate this process post-infection. The detection rule identifies suspicious use of shell commands that echo passwords into the passwd utility, a technique indicative of unauthorized credential changes, by monitoring specific command patterns and excluding benign processes. + +### Possible investigation steps + +- Review the process command line to confirm the presence of the suspicious pattern "*echo*passwd*" and assess if it aligns with known malicious activity. +- Identify the user account associated with the process to determine if it is a legitimate user or potentially compromised. +- Examine the parent process details, including the command line and executable path, to understand the context of how the suspicious process was initiated. +- Check for any recent changes to user accounts on the system, focusing on password modifications or new account creations around the time of the alert. +- Investigate the system for any additional signs of compromise, such as unexpected network connections or other suspicious processes running concurrently. +- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. + +### False positive analysis + +- Automated build processes may trigger this rule if they use shell scripts that include echoing passwords for testing or configuration purposes. To handle this, exclude processes with parent command lines or executables related to build tools like make. +- System administration scripts that automate user account management might use similar command patterns. Review these scripts and exclude them by specifying their parent process or executable paths. +- Custom user scripts for password management could inadvertently match the rule's criteria. Identify these scripts and add exceptions based on their unique command line or parent process attributes. +- Some legitimate software installations might use echo and passwd in their setup scripts. Monitor installation logs and exclude known safe installation processes by their parent command line or executable. + +### Response and remediation + +- Immediately isolate the affected Linux system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified by the detection rule, particularly those involving the echo command being used with the passwd utility. +- Change the passwords of any user accounts that may have been compromised, ensuring the use of strong, unique passwords. +- Review and audit recent user account changes and access logs to identify any unauthorized modifications or access attempts. +- Restore any affected user accounts to their previous state using backups or system snapshots, if available. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring and alerting for similar command patterns to enhance detection and prevent recurrence of this threat. +""" risk_score = 21 rule_id = "79e7291f-9e3b-4a4b-9823-800daa89c8f9" setup = """## Setup @@ -45,7 +80,8 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index c20aef20884..6f6761906dc 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,24 +2,58 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/03/04" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule detects unusual processes spawned from a web server parent process by identifying low -frequency counts of process spawning activity. Unusual process spawning activity may indicate an -attacker attempting to establish persistence, execute malicious commands, or establish command -and control channels on the host system. ES|QL rules have limited fields available in its alert -documents. Make sure to review the original documents to aid in the investigation of this alert. +This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of +process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish +persistence, execute malicious commands, or establish command and control channels on the host system. ES|QL rules have +limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation +of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "Unusual Process Spawned from Web Server Parent" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Spawned from Web Server Parent + +Web servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats. + +### Possible investigation steps + +- Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment. +- Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories. +- Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account. +- Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced. +- Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise. +- Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited. + +### False positive analysis + +- Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening. +- Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts. +- Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories. +- Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows. +- Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement. +- Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations. +- Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary. +- Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup. +- Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access. +- Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. +""" risk_score = 47 rule_id = "976b2391-413f-4a94-acb4-7911f3803346" setup = """## Setup @@ -56,12 +90,14 @@ tags = [ "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.process-* -| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, user.name, user.id, process.working_directory, process.name, process.executable, process.command_line, process.parent.executable, agent.id +| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, user.name, user.id, process.working_directory, process.name, process.executable, process.command_line, process.parent.executable, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( process.parent.name in ( @@ -84,57 +120,57 @@ not ( process.working_directory like "/" or process.parent.executable like "/vscode/vscode-server/*" ) -| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.working_directory, process.parent.executable +| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.executable, process.working_directory, process.parent.executable | where agent_count == 1 and cc < 5 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index edeedf094f5..604bb77bc5c 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,26 +2,65 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/03/04" +updated_date = "2025/04/07" [rule] author = ["Elastic"] description = """ -This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may -attempt to execute commands from a web server parent process to blend in with normal web server activity and -evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server -vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command -execution from web server parent processes, which may indicate a compromised host or an ongoing attack. -ES|QL rules have limited fields available in its alert documents. Make sure to review the original documents -to aid in the investigation of this alert. +This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt +to execute commands from a web server parent process to blend in with normal web server activity and evade detection. +This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute +arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent +processes, which may indicate a compromised host or an ongoing attack. ES|QL rules have limited fields available in its +alert documents. Make sure to review the original documents to aid in the investigation of this alert. """ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" name = "Unusual Command Execution from Web Server Parent" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Command Execution from Web Server Parent + +Web servers, such as Apache or Nginx, are crucial for hosting web applications, often running on Linux systems. Adversaries exploit vulnerabilities in these servers to execute arbitrary commands, typically through web shells, blending malicious activity with legitimate server processes. The detection rule identifies suspicious command executions originating from web server processes, focusing on unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises. + +### Possible investigation steps + +- Review the process.command_line field to understand the specific command executed and assess its legitimacy or potential malicious intent. +- Examine the process.working_directory to determine if the command was executed from an unusual or suspicious directory, which could indicate a compromise. +- Check the process.parent.executable and process.parent.name fields to identify the parent process and verify if it is a known web server or related service that could be exploited. +- Investigate the user.name and user.id fields to confirm if the command was executed by a legitimate user or service account, or if it was potentially executed by an unauthorized user. +- Correlate the @timestamp with other logs and events to identify any related activities or anomalies occurring around the same time, which could provide additional context or evidence of an attack. +- Assess the agent.id to determine if the alert is isolated to a single host or if similar activities are observed across multiple hosts, indicating a broader issue. + +### False positive analysis + +- Web development or testing environments may frequently execute commands from web server processes. To handle this, exclude specific working directories like /var/www/dev or /var/www/test from the rule. +- Automated scripts or cron jobs running under web server user accounts can trigger alerts. Identify these scripts and add exceptions for their specific command lines or user IDs. +- Legitimate administrative tasks performed by web server administrators might appear suspicious. Document these tasks and exclude their associated command lines or parent executables. +- Continuous integration or deployment processes that involve web server interactions can be mistaken for threats. Exclude known CI/CD tool command lines or working directories from the rule. +- Monitoring or logging tools that interact with web server processes may generate false positives. Identify these tools and exclude their specific process names or parent executables. + +### Response and remediation + +- Isolate the affected host immediately to prevent further malicious activity and lateral movement within the network. This can be done by removing the host from the network or applying network segmentation. + +- Terminate any suspicious processes identified by the detection rule, especially those originating from web server parent processes executing shell commands. Use process IDs and command lines from the alert to target specific processes. + +- Conduct a thorough review of the web server logs and application logs to identify any unauthorized access or modifications. Look for patterns that match the command execution detected and any other anomalies. + +- Patch the web server and any associated applications to address known vulnerabilities that may have been exploited. Ensure that all software is up to date with the latest security patches. + +- Restore the affected system from a known good backup if any unauthorized changes or persistent threats are detected. Ensure that the backup is free from compromise before restoration. + +- Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior. Enhance logging and alerting to capture more detailed information about process executions and network connections. + +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. Provide them with all relevant data and findings from the initial containment and remediation steps. +""" risk_score = 47 rule_id = "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d" setup = """## Setup @@ -58,12 +97,14 @@ tags = [ "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.process-* -| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, user.name, user.id, process.working_directory, process.name, process.command_line, process.parent.executable, agent.id +| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, user.name, user.id, process.working_directory, process.name, process.command_line, process.parent.executable, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( process.parent.name in ( @@ -89,57 +130,57 @@ from logs-endpoint.events.process-* process.parent.executable like "/vscode/vscode-server/*" or process.parent.executable == "/usr/bin/xfce4-terminal" ) -| stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.working_directory, process.parent.executable +| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.command_line, process.working_directory, process.parent.executable | where agent_count == 1 and cc < 5 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml index 39815bc2df6..9755dbd1e44 100644 --- a/rules/linux/persistence_web_server_sus_destination_port.toml +++ b/rules/linux/persistence_web_server_sus_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/05" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -16,6 +16,42 @@ index = ["logs-endpoint.events.network*"] language = "eql" license = "Elastic License v2" name = "Uncommon Destination Port Connection by Web Server" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Uncommon Destination Port Connection by Web Server + +Web servers, crucial for hosting applications, typically communicate over standard ports like 80 and 443. Adversaries may exploit web server processes to establish unauthorized connections to unusual ports, potentially indicating web shell activity or data exfiltration. This detection rule identifies such anomalies by monitoring egress connections from web server processes to non-standard ports, excluding common local IP ranges, thus highlighting potential threats. + +### Possible investigation steps + +- Review the process name and user associated with the alert to determine if the connection attempt was made by a legitimate web server process or user, as specified in the query fields (e.g., process.name or user.name). +- Examine the destination IP address to assess whether it is known or suspicious, and check if it falls outside the excluded local IP ranges. +- Investigate the destination port to understand why the connection was attempted on a non-standard port, and determine if this port is associated with any known services or threats. +- Check historical logs for any previous connection attempts from the same process or user to the same or similar destination IPs and ports to identify patterns or repeated behavior. +- Analyze any related network traffic or logs to identify additional context or anomalies that may indicate unauthorized activity or data exfiltration. +- Correlate the alert with other security events or alerts to determine if it is part of a larger attack pattern or campaign. + +### False positive analysis + +- Routine administrative tasks or maintenance scripts may trigger alerts if they involve web server processes connecting to non-standard ports. To manage this, identify and document these tasks, then create exceptions for the specific processes and ports involved. +- Internal monitoring or management tools that use non-standard ports for legitimate purposes can cause false positives. Review the tools in use and exclude their known IP addresses and ports from the rule. +- Development or testing environments often use non-standard ports for web server processes. Ensure these environments are well-documented and consider excluding their IP ranges or specific ports from the rule. +- Load balancers or reverse proxies might redirect traffic to non-standard ports as part of their normal operation. Verify the configuration of these devices and exclude their IP addresses and ports if necessary. +- Custom applications running on web servers may require communication over non-standard ports. Work with application owners to understand these requirements and adjust the rule to exclude these specific cases. + +### Response and remediation + +- Immediately isolate the affected web server from the network to prevent further unauthorized access or data exfiltration. +- Conduct a thorough review of the web server's logs and processes to identify any unauthorized changes or suspicious activities, focusing on the processes and user accounts mentioned in the detection rule. +- Terminate any suspicious processes identified during the investigation that are not part of the standard operation of the web server. +- Change passwords and review permissions for the user accounts associated with the web server processes to ensure they have not been compromised. +- Restore the web server from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise. +- Implement network segmentation to limit the web server's access to critical systems and data, reducing the potential impact of future incidents. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected, ensuring comprehensive threat containment and remediation. +""" risk_score = 21 rule_id = "00546494-5bb0-49d6-9220-5f3b4c12f26a" setup = """## Setup @@ -52,6 +88,7 @@ tags = [ "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 6dd7ba60122..4bd670306f2 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,10 +13,51 @@ commands or input containing wildcards (e.g., *, ?, []) to execute unintended op tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Unauthorized Access via Wildcard Injection Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Unauthorized Access via Wildcard Injection Detected + +In Linux environments, commands like `chown` and `chmod` are used to change file ownership and permissions. Adversaries may exploit wildcard characters in these commands to escalate privileges or access sensitive data by executing unintended operations. The detection rule identifies suspicious use of these commands with recursive flags and wildcard references, signaling potential misuse aimed at privilege escalation or unauthorized data access. + +### Possible investigation steps + +- Review the process execution details to confirm the presence of the "chown" or "chmod" command with the "-R" flag and wildcard usage in the arguments, as indicated by the query fields process.name, process.args, and event.action. +- Examine the user account associated with the process execution to determine if it has the necessary permissions to perform such operations and assess if the account has been compromised. +- Check the command execution history and related logs to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern or unauthorized access attempts. +- Investigate the source and destination of the command execution by analyzing network logs and connections to determine if the activity originated from a known or unknown IP address or host. +- Correlate this event with other alerts or anomalies in the system to identify potential patterns or coordinated attacks, focusing on privilege escalation or credential access attempts as suggested by the rule's tags and threat information. + +### False positive analysis + +- Routine administrative tasks using chown or chmod with recursive flags may trigger the rule. To manage this, identify and whitelist specific scripts or users that regularly perform these tasks without security risks. +- Automated system maintenance processes that involve changing file permissions or ownership across directories can be mistaken for malicious activity. Exclude these processes by specifying their command patterns or associated user accounts in the monitoring system. +- Backup operations that involve copying and setting permissions on large sets of files might be flagged. To prevent this, configure exceptions for known backup tools or scripts that use these commands in a controlled manner. +- Development environments where developers frequently change file permissions for testing purposes can generate false positives. Implement user-based exceptions for development teams to reduce unnecessary alerts. +- System updates or package installations that modify file permissions as part of their normal operation may be detected. Create exceptions for trusted package managers or update processes to avoid false alarms. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes identified as running the `chown` or `chmod` commands with wildcard injections to halt potential privilege escalation activities. +- Conduct a thorough review of system logs and command histories to identify any unauthorized changes made to file permissions or ownership and revert them to their original state. +- Reset credentials and review access permissions for users on the affected system to ensure no unauthorized access persists. +- Implement file integrity monitoring to detect unauthorized changes to critical files and directories in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Update and patch the affected system to address any vulnerabilities that may have been exploited during the attack, ensuring all security updates are applied.""" references = ["https://www.exploit-db.com/papers/33930"] risk_score = 21 rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b" @@ -69,40 +108,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Unauthorized Access via Wildcard Injection Detected - -In Linux environments, commands like `chown` and `chmod` are used to change file ownership and permissions. Adversaries may exploit wildcard characters in these commands to escalate privileges or access sensitive data by executing unintended operations. The detection rule identifies suspicious use of these commands with recursive flags and wildcard references, signaling potential misuse aimed at privilege escalation or unauthorized data access. - -### Possible investigation steps - -- Review the process execution details to confirm the presence of the "chown" or "chmod" command with the "-R" flag and wildcard usage in the arguments, as indicated by the query fields process.name, process.args, and event.action. -- Examine the user account associated with the process execution to determine if it has the necessary permissions to perform such operations and assess if the account has been compromised. -- Check the command execution history and related logs to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern or unauthorized access attempts. -- Investigate the source and destination of the command execution by analyzing network logs and connections to determine if the activity originated from a known or unknown IP address or host. -- Correlate this event with other alerts or anomalies in the system to identify potential patterns or coordinated attacks, focusing on privilege escalation or credential access attempts as suggested by the rule's tags and threat information. - -### False positive analysis - -- Routine administrative tasks using chown or chmod with recursive flags may trigger the rule. To manage this, identify and whitelist specific scripts or users that regularly perform these tasks without security risks. -- Automated system maintenance processes that involve changing file permissions or ownership across directories can be mistaken for malicious activity. Exclude these processes by specifying their command patterns or associated user accounts in the monitoring system. -- Backup operations that involve copying and setting permissions on large sets of files might be flagged. To prevent this, configure exceptions for known backup tools or scripts that use these commands in a controlled manner. -- Development environments where developers frequently change file permissions for testing purposes can generate false positives. Implement user-based exceptions for development teams to reduce unnecessary alerts. -- System updates or package installations that modify file permissions as part of their normal operation may be detected. Create exceptions for trusted package managers or update processes to avoid false alarms. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified as running the `chown` or `chmod` commands with wildcard injections to halt potential privilege escalation activities. -- Conduct a thorough review of system logs and command histories to identify any unauthorized changes made to file permissions or ownership and revert them to their original state. -- Reset credentials and review access permissions for users on the affected system to ensure no unauthorized access persists. -- Implement file integrity monitoring to detect unauthorized changes to critical files and directories in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Update and patch the affected system to address any vulnerabilities that may have been exploited during the attack, ensuring all security updates are applied.""" [[rule.threat]] diff --git a/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml new file mode 100644 index 00000000000..94a0637e997 --- /dev/null +++ b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml @@ -0,0 +1,115 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of the built-in Linux DebugFS utility from inside a container. DebugFS is a special +file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside +a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access +sensitive host level files which could be used for further privilege escalation and container escapes to the host +machine. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "File System Debugger Launched Inside a Container" +references = [ + "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q", + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged", +] +risk_score = 47 +rule_id = "35c029c3-090e-4a25-b613-0b8099970fc1" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and process.name == "debugfs" and +process.command_line like~ "/dev/sd*" and not process.args == "-R" +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File System Debugger Launched Inside a Container + +DebugFS is a Linux utility for direct file system manipulation, often used for debugging. In a privileged container, which has extensive access to the host, adversaries can exploit DebugFS to access sensitive host files, potentially leading to privilege escalation or container escape. The detection rule identifies suspicious DebugFS usage by monitoring process initiation with specific arguments in containers, flagging potential misuse. + +### Possible investigation steps + +- Review the alert details to confirm the process name is "debugfs" and check the specific arguments used, particularly looking for "/dev/sd*" to identify potential access to host file systems. +- Verify the container's security context to ensure it is indeed privileged, as this increases the risk of host-level access. +- Investigate the origin of the container image and deployment configuration to determine if the use of a privileged container was intentional or necessary. +- Check the user or service account that initiated the process to assess if it aligns with expected behavior or if it indicates potential unauthorized access. +- Examine recent logs and events from the container and host to identify any unusual activities or patterns that coincide with the alert. +- Assess the potential impact by identifying any sensitive files or directories that may have been accessed or modified by the debugfs process. + +### False positive analysis + +- Routine maintenance tasks using DebugFS in privileged containers can trigger alerts. To manage this, identify and document regular maintenance processes and create exceptions for these specific processes. +- Automated scripts or tools that utilize DebugFS for legitimate monitoring or debugging purposes may cause false positives. Review these scripts and whitelist them by excluding their specific process arguments or execution contexts. +- Development and testing environments often run privileged containers with DebugFS for debugging purposes. Establish a separate set of rules or exceptions for these environments to prevent unnecessary alerts. +- Backup or recovery operations that involve direct disk access might use DebugFS. Ensure these operations are well-documented and create exceptions based on their unique process signatures or execution schedules. + +### Response and remediation + +- Immediately isolate the affected container to prevent further access to sensitive host files. This can be done by stopping the container or removing its network access. +- Conduct a thorough review of the container's security context and capabilities to ensure it does not have unnecessary privileges. Adjust the container's configuration to remove privileged access if not required. +- Analyze the container's logs and process history to identify any unauthorized access or actions taken by the DebugFS utility. This will help determine the extent of the potential breach. +- If unauthorized access to host files is confirmed, perform a security assessment of the host system to identify any changes or breaches. This may include checking for new user accounts, modified files, or unexpected network connections. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. Provide them with all relevant logs and findings. +- Implement additional monitoring and alerting for similar activities across other containers and hosts to detect any recurrence of this threat. +- Review and update container deployment policies to enforce the principle of least privilege, ensuring containers only have the necessary permissions to perform their intended functions.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index eb87c2531d8..cf3c4082eaf 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Chroot Container Escape via Mount + +Chroot and mount are Linux utilities that can isolate processes and manage file systems, respectively. Adversaries may exploit these to escape containerized environments by mounting the host's root file system and using chroot to change the root directory, gaining unauthorized access. The detection rule identifies this rare sequence by monitoring for mount and chroot executions within a short timeframe, signaling potential privilege escalation attempts. + +### Possible investigation steps + +- Review the alert details to identify the specific host.id and process.parent.entity_id associated with the alert to understand which system and parent process are involved. +- Examine the process execution timeline to confirm the sequence of the mount and chroot commands, ensuring they occurred within the specified maxspan of 5 minutes. +- Investigate the process.args field for the mount command to determine the specific device or file system being targeted, especially focusing on any /dev/sd* entries that suggest attempts to access physical disks. +- Check the user permissions and roles associated with the process.parent.name (e.g., bash, dash, sh) to assess if the user had sufficient privileges to perform such operations. +- Analyze the broader context of the host.os.type to identify any recent changes or anomalies in the Linux environment that could have facilitated this behavior. +- Correlate with other security logs or alerts from the same host to identify any additional suspicious activities or patterns that might indicate a broader attack or compromise. + +### False positive analysis + +- System maintenance scripts may trigger the rule if they involve mounting and chroot operations. Review scheduled tasks and scripts to identify legitimate use and consider excluding these specific processes from the rule. +- Backup or recovery operations that require mounting file systems and changing root directories can also cause false positives. Identify these operations and create exceptions for the associated processes or users. +- Development or testing environments where users frequently perform mount and chroot operations for legitimate purposes may trigger alerts. Evaluate the necessity of these actions and exclude known safe processes or users. +- Automated deployment tools that use mount and chroot as part of their setup routines can be mistaken for malicious activity. Verify the tools and their processes, then add them to an exclusion list if they are deemed safe. +- Custom scripts executed by trusted users that involve mount and chroot should be reviewed. If these scripts are part of regular operations, consider excluding them from the detection rule. + +### Response and remediation + +- Immediately isolate the affected container to prevent further unauthorized access or potential lateral movement within the host system. +- Terminate any suspicious processes identified as executing the mount or chroot commands within the container to halt any ongoing escape attempts. +- Conduct a thorough review of the container's permissions and configurations to ensure that only necessary privileges are granted, reducing the risk of similar exploits. +- Inspect the host system for any signs of compromise or unauthorized access, focusing on logs and system changes around the time of the detected activity. +- Restore the container from a known good backup if any unauthorized changes or compromises are detected, ensuring the environment is clean and secure. +- Update and patch the container and host systems to address any known vulnerabilities that could be exploited for privilege escalation or container escape. +- Escalate the incident to the security operations team for further analysis and to determine if additional monitoring or security measures are required to prevent future occurrences.""" references = [ "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash", ] @@ -79,41 +112,6 @@ sequence by host.id, process.parent.entity_id with maxspan=5m [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and process.name == "chroot"] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Chroot Container Escape via Mount - -Chroot and mount are Linux utilities that can isolate processes and manage file systems, respectively. Adversaries may exploit these to escape containerized environments by mounting the host's root file system and using chroot to change the root directory, gaining unauthorized access. The detection rule identifies this rare sequence by monitoring for mount and chroot executions within a short timeframe, signaling potential privilege escalation attempts. - -### Possible investigation steps - -- Review the alert details to identify the specific host.id and process.parent.entity_id associated with the alert to understand which system and parent process are involved. -- Examine the process execution timeline to confirm the sequence of the mount and chroot commands, ensuring they occurred within the specified maxspan of 5 minutes. -- Investigate the process.args field for the mount command to determine the specific device or file system being targeted, especially focusing on any /dev/sd* entries that suggest attempts to access physical disks. -- Check the user permissions and roles associated with the process.parent.name (e.g., bash, dash, sh) to assess if the user had sufficient privileges to perform such operations. -- Analyze the broader context of the host.os.type to identify any recent changes or anomalies in the Linux environment that could have facilitated this behavior. -- Correlate with other security logs or alerts from the same host to identify any additional suspicious activities or patterns that might indicate a broader attack or compromise. - -### False positive analysis - -- System maintenance scripts may trigger the rule if they involve mounting and chroot operations. Review scheduled tasks and scripts to identify legitimate use and consider excluding these specific processes from the rule. -- Backup or recovery operations that require mounting file systems and changing root directories can also cause false positives. Identify these operations and create exceptions for the associated processes or users. -- Development or testing environments where users frequently perform mount and chroot operations for legitimate purposes may trigger alerts. Evaluate the necessity of these actions and exclude known safe processes or users. -- Automated deployment tools that use mount and chroot as part of their setup routines can be mistaken for malicious activity. Verify the tools and their processes, then add them to an exclusion list if they are deemed safe. -- Custom scripts executed by trusted users that involve mount and chroot should be reviewed. If these scripts are part of regular operations, consider excluding them from the detection rule. - -### Response and remediation - -- Immediately isolate the affected container to prevent further unauthorized access or potential lateral movement within the host system. -- Terminate any suspicious processes identified as executing the mount or chroot commands within the container to halt any ongoing escape attempts. -- Conduct a thorough review of the container's permissions and configurations to ensure that only necessary privileges are granted, reducing the risk of similar exploits. -- Inspect the host system for any signs of compromise or unauthorized access, focusing on logs and system changes around the time of the detected activity. -- Restore the container from a known good backup if any unauthorized changes or compromises are detected, ensuring the environment is clean and secure. -- Update and patch the container and host systems to address any known vulnerabilities that could be exploited for privilege escalation or container escape. -- Escalate the incident to the security operations team for further analysis and to determine if additional monitoring or security measures are required to prevent future occurrences.""" [[rule.threat]] diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 1f39e9a2a8c..be48d513e96 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,10 +14,52 @@ escalate privileges, establish persistence or hide their activities by loading a tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Kernel Load or Unload via Kexec Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Kernel Load or Unload via Kexec Detected + +Kexec is a Linux feature allowing a new kernel to load without rebooting, streamlining updates and recovery. However, attackers can exploit kexec to bypass security, escalate privileges, or hide activities by loading malicious kernels. The detection rule identifies suspicious kexec usage by monitoring process actions and arguments, excluding benign parent processes, to flag potential threats. + +### Possible investigation steps + +- Review the process details to confirm the presence of the kexec command with suspicious arguments such as "--exec", "-e", "--load", "-l", "--unload", or "-u". +- Investigate the parent process of the kexec command to ensure it is not a benign process like "kdumpctl" or "unload.sh", which are excluded from the detection rule. +- Check the user account associated with the kexec process to determine if it has the necessary privileges and if the activity aligns with their typical behavior. +- Analyze recent system logs and security events for any signs of privilege escalation or unauthorized kernel modifications around the time the kexec command was executed. +- Examine the system for any signs of persistence mechanisms or other indicators of compromise that may suggest a broader attack campaign. +- Correlate this event with other alerts or anomalies in the environment to assess if this is part of a larger attack pattern or isolated incident. + +### False positive analysis + +- Kdump operations may trigger false positives as kdumpctl is a benign parent process for kexec. Ensure kdumpctl is included in the exclusion list to prevent unnecessary alerts. +- Custom scripts for kernel unloading, such as unload.sh, can cause false positives. Verify these scripts are legitimate and add them to the exclusion list if they are frequently used in your environment. +- Routine administrative tasks involving kernel updates or testing may involve kexec. Confirm these activities are authorized and consider excluding specific administrative accounts or processes from detection. +- Automated system recovery processes that utilize kexec might be flagged. Identify these processes and exclude them if they are part of a known and secure recovery mechanism. +- Security tools or monitoring solutions that use kexec for legitimate purposes should be reviewed and excluded to avoid false alerts, ensuring they are recognized as trusted applications. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the attacker. +- Terminate any suspicious kexec processes identified by the detection rule to halt any ongoing malicious kernel loading activities. +- Conduct a thorough review of system logs and process histories to identify any unauthorized kernel loads or modifications, and revert to a known good state if necessary. +- Restore the system from a clean backup taken before the suspicious activity was detected to ensure system integrity and remove any potential backdoors or malicious kernels. +- Update and patch the system to the latest security standards to mitigate any vulnerabilities that could be exploited by similar attacks in the future. +- Implement strict access controls and monitoring on systems with kexec capabilities to prevent unauthorized usage and ensure only trusted personnel can perform kernel operations. +- Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", @@ -69,93 +109,59 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") and not process.parent.name in ("kdumpctl", "unload.sh") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Kernel Load or Unload via Kexec Detected - -Kexec is a Linux feature allowing a new kernel to load without rebooting, streamlining updates and recovery. However, attackers can exploit kexec to bypass security, escalate privileges, or hide activities by loading malicious kernels. The detection rule identifies suspicious kexec usage by monitoring process actions and arguments, excluding benign parent processes, to flag potential threats. - -### Possible investigation steps - -- Review the process details to confirm the presence of the kexec command with suspicious arguments such as "--exec", "-e", "--load", "-l", "--unload", or "-u". -- Investigate the parent process of the kexec command to ensure it is not a benign process like "kdumpctl" or "unload.sh", which are excluded from the detection rule. -- Check the user account associated with the kexec process to determine if it has the necessary privileges and if the activity aligns with their typical behavior. -- Analyze recent system logs and security events for any signs of privilege escalation or unauthorized kernel modifications around the time the kexec command was executed. -- Examine the system for any signs of persistence mechanisms or other indicators of compromise that may suggest a broader attack campaign. -- Correlate this event with other alerts or anomalies in the environment to assess if this is part of a larger attack pattern or isolated incident. - -### False positive analysis - -- Kdump operations may trigger false positives as kdumpctl is a benign parent process for kexec. Ensure kdumpctl is included in the exclusion list to prevent unnecessary alerts. -- Custom scripts for kernel unloading, such as unload.sh, can cause false positives. Verify these scripts are legitimate and add them to the exclusion list if they are frequently used in your environment. -- Routine administrative tasks involving kernel updates or testing may involve kexec. Confirm these activities are authorized and consider excluding specific administrative accounts or processes from detection. -- Automated system recovery processes that utilize kexec might be flagged. Identify these processes and exclude them if they are part of a known and secure recovery mechanism. -- Security tools or monitoring solutions that use kexec for legitimate purposes should be reviewed and excluded to avoid false alerts, ensuring they are recognized as trusted applications. - -### Response and remediation -- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the attacker. -- Terminate any suspicious kexec processes identified by the detection rule to halt any ongoing malicious kernel loading activities. -- Conduct a thorough review of system logs and process histories to identify any unauthorized kernel loads or modifications, and revert to a known good state if necessary. -- Restore the system from a clean backup taken before the suspicious activity was detected to ensure system integrity and remove any potential backdoors or malicious kernels. -- Update and patch the system to the latest security standards to mitigate any vulnerabilities that could be exploited by similar attacks in the future. -- Implement strict access controls and monitoring on systems with kexec capabilities to prevent unauthorized usage and ensure only trusted personnel can perform kernel operations. -- Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" - [[rule.threat.technique.subtechnique]] id = "T1601.001" name = "Patch System Image" reference = "https://attack.mitre.org/techniques/T1601/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/privilege_escalation_mount_launched_inside_container.toml b/rules/linux/privilege_escalation_mount_launched_inside_container.toml new file mode 100644 index 00000000000..0c794a857d1 --- /dev/null +++ b/rules/linux/privilege_escalation_mount_launched_inside_container.toml @@ -0,0 +1,114 @@ +[metadata] +creation_date = "2025/03/12" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/03/12" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of the mount utility from inside a container. The mount command is used to make a +device or file system accessible to the system, and then to connect its root directory to a specified mount point on the +local file system. When launched inside a privileged container--a container deployed with all the capabilities of the +host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation +and container escapes to the host machine. Any usage of mount inside a running privileged container should be further +investigated. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "Mount Launched Inside a Container" +references = [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged", +] +risk_score = 47 +rule_id = "c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.entry_leader.entry_meta.type == "container" and process.name == "mount" +''' +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Mount Launched Inside a Container + +In containerized environments, the `mount` utility is crucial for attaching file systems to the system's directory tree. When executed within a privileged container, which has extensive host capabilities, it can be exploited by adversaries to access sensitive host files, potentially leading to privilege escalation or container escapes. The detection rule identifies such misuse by monitoring the execution of `mount` in containers, flagging potential security threats for further investigation. + +### Possible investigation steps + +- Review the alert details to confirm that the process name or arguments include "mount" and that the container's security context is marked as privileged. +- Check the container's deployment configuration to verify if it was intentionally set as privileged and assess whether this level of privilege is necessary for its function. +- Investigate the user or process that initiated the mount command within the container to determine if it aligns with expected behavior or if it indicates potential malicious activity. +- Examine the mounted file systems and directories to identify any sensitive host files that may have been accessed or exposed. +- Review logs and historical data for any previous suspicious activities associated with the same container or user to identify patterns or repeated attempts at privilege escalation. + +### False positive analysis + +- Routine maintenance tasks within privileged containers may trigger the rule. Exclude known maintenance scripts or processes by adding them to an exception list based on their unique identifiers or command patterns. +- Backup operations that require mounting file systems might be flagged. Identify and exclude these operations by specifying the backup process names or arguments in the rule exceptions. +- Development or testing environments often use privileged containers for convenience. If these environments are known and controlled, consider excluding them by container IDs or labels to reduce noise. +- Automated deployment tools that use mount commands in privileged containers can be mistaken for threats. Review and whitelist these tools by their process names or specific arguments to prevent false alerts. +- Certain monitoring or logging solutions may use mount operations for data collection. Verify these solutions and exclude their processes if they are legitimate and necessary for system operations. + +### Response and remediation + +- Immediately isolate the affected container to prevent further access to sensitive host files. This can be done by stopping the container or disconnecting it from the network. +- Review and revoke any unnecessary privileges from the container's security context to prevent similar incidents. Ensure that containers run with the least privileges necessary. +- Conduct a thorough analysis of the container's file system and logs to identify any unauthorized access or modifications to host files. +- If unauthorized access is confirmed, perform a comprehensive audit of the host system to check for any signs of compromise or privilege escalation attempts. +- Patch and update the container image and host system to address any vulnerabilities that may have been exploited. +- Implement stricter access controls and monitoring for privileged containers, ensuring that only trusted users and processes can execute sensitive commands like `mount`. +- Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures or incident response actions.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 793e90b2b57..9df3d417f82 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_fun language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via PKEXEC" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Privilege Escalation via PKEXEC + +Polkit's pkexec is a command-line utility that allows an authorized user to execute commands as another user, typically root, in Linux environments. Adversaries exploit vulnerabilities like CVE-2021-4034 by injecting unsecure environment variables, enabling unauthorized privilege escalation. The detection rule identifies suspicious file paths indicative of such exploitation attempts, focusing on environment variable manipulation to preemptively flag potential threats. + +### Possible investigation steps + +- Review the alert details to confirm the presence of the file path pattern "/*GCONV_PATH*" on a Linux host, as this is indicative of the potential exploitation attempt. +- Examine the process execution history on the affected host to identify any instances of pkexec being executed around the time of the alert. Look for unusual or unauthorized command executions. +- Check the environment variables set during the pkexec execution to identify any suspicious or unauthorized modifications that could indicate an exploitation attempt. +- Investigate the user account associated with the alert to determine if it has a history of privilege escalation attempts or other suspicious activities. +- Analyze system logs and security events for any additional indicators of compromise or related suspicious activities that occurred before or after the alert. +- Assess the patch status of the affected system to determine if it is vulnerable to CVE-2021-4034 and ensure that appropriate security updates have been applied. + +### False positive analysis + +- Routine administrative tasks involving pkexec may trigger alerts if they involve environment variable manipulation. Review the context of the command execution to determine if it aligns with expected administrative behavior. +- Custom scripts or applications that legitimately use environment variables in their execution paths might be flagged. Identify these scripts and consider adding them to an exception list if they are verified as non-threatening. +- Automated system management tools that modify environment variables for legitimate purposes could cause false positives. Monitor these tools and exclude their known safe operations from the detection rule. +- Development environments where developers frequently test applications with varying environment variables might generate alerts. Establish a baseline of normal activity and exclude these patterns if they are consistent and verified as safe. +- Scheduled tasks or cron jobs that involve environment variable changes should be reviewed. If they are part of regular system maintenance, document and exclude them from triggering alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the attacker. +- Terminate any suspicious processes associated with pkexec or unauthorized privilege escalation attempts to halt ongoing exploitation. +- Conduct a thorough review of system logs and file access records to identify any unauthorized changes or access patterns, focusing on the presence of GCONV_PATH in file paths. +- Revert any unauthorized changes made by the attacker, such as modifications to critical system files or configurations, to restore system integrity. +- Apply the latest security patches and updates to the polkit package to address CVE-2021-4034 and prevent future exploitation. +- Implement enhanced monitoring and alerting for similar privilege escalation attempts, ensuring that any future attempts are detected and responded to promptly. +- Report the incident to relevant internal security teams and, if necessary, escalate to external authorities or cybersecurity partners for further investigation and support.""" references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"] risk_score = 73 rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" @@ -63,41 +96,6 @@ type = "eql" query = ''' file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Privilege Escalation via PKEXEC - -Polkit's pkexec is a command-line utility that allows an authorized user to execute commands as another user, typically root, in Linux environments. Adversaries exploit vulnerabilities like CVE-2021-4034 by injecting unsecure environment variables, enabling unauthorized privilege escalation. The detection rule identifies suspicious file paths indicative of such exploitation attempts, focusing on environment variable manipulation to preemptively flag potential threats. - -### Possible investigation steps - -- Review the alert details to confirm the presence of the file path pattern "/*GCONV_PATH*" on a Linux host, as this is indicative of the potential exploitation attempt. -- Examine the process execution history on the affected host to identify any instances of pkexec being executed around the time of the alert. Look for unusual or unauthorized command executions. -- Check the environment variables set during the pkexec execution to identify any suspicious or unauthorized modifications that could indicate an exploitation attempt. -- Investigate the user account associated with the alert to determine if it has a history of privilege escalation attempts or other suspicious activities. -- Analyze system logs and security events for any additional indicators of compromise or related suspicious activities that occurred before or after the alert. -- Assess the patch status of the affected system to determine if it is vulnerable to CVE-2021-4034 and ensure that appropriate security updates have been applied. - -### False positive analysis - -- Routine administrative tasks involving pkexec may trigger alerts if they involve environment variable manipulation. Review the context of the command execution to determine if it aligns with expected administrative behavior. -- Custom scripts or applications that legitimately use environment variables in their execution paths might be flagged. Identify these scripts and consider adding them to an exception list if they are verified as non-threatening. -- Automated system management tools that modify environment variables for legitimate purposes could cause false positives. Monitor these tools and exclude their known safe operations from the detection rule. -- Development environments where developers frequently test applications with varying environment variables might generate alerts. Establish a baseline of normal activity and exclude these patterns if they are consistent and verified as safe. -- Scheduled tasks or cron jobs that involve environment variable changes should be reviewed. If they are part of regular system maintenance, document and exclude them from triggering alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the attacker. -- Terminate any suspicious processes associated with pkexec or unauthorized privilege escalation attempts to halt ongoing exploitation. -- Conduct a thorough review of system logs and file access records to identify any unauthorized changes or access patterns, focusing on the presence of GCONV_PATH in file paths. -- Revert any unauthorized changes made by the attacker, such as modifications to critical system files or configurations, to restore system integrity. -- Apply the latest security patches and updates to the polkit package to address CVE-2021-4034 and prevent future exploitation. -- Implement enhanced monitoring and alerting for similar privilege escalation attempts, ensuring that any future attempts are detected and responded to promptly. -- Report the incident to relevant internal security teams and, if necessary, escalate to external authorities or cybersecurity partners for further investigation and support.""" [[rule.threat]] diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index a3ba3a40cad..99c6f5add45 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,41 @@ index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Shell via Wildcard Injection Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Shell via Wildcard Injection Detected + +Wildcard injection exploits vulnerabilities in Linux command-line utilities by manipulating wildcard characters to execute unauthorized commands. Adversaries leverage this to escalate privileges or execute arbitrary code. The detection rule identifies suspicious use of vulnerable binaries like `tar`, `rsync`, and `zip` followed by shell execution, indicating potential exploitation attempts. + +### Possible investigation steps + +- Review the process details to identify the specific command executed, focusing on the process name and arguments, especially those involving `tar`, `rsync`, or `zip` with suspicious flags like `--checkpoint=*`, `-e*`, or `--unzip-command`. +- Examine the parent process information to determine if a shell process (e.g., `bash`, `sh`, `zsh`) was spawned, indicating potential exploitation. +- Check the process execution path to ensure it does not match the exclusion pattern `/tmp/newroot/*`, which might indicate a benign operation. +- Investigate the host's recent activity logs to identify any other suspicious or related events that might indicate a broader attack or compromise. +- Correlate the alert with any other security events or alerts from the same host to assess if this is part of a larger attack pattern or campaign. +- Assess the user account associated with the process execution to determine if it has the necessary privileges and if the activity aligns with expected behavior for that account. + +### False positive analysis + +- Legitimate use of tar, rsync, or zip with wildcard-related flags in automated scripts or backup processes can trigger false positives. Review the context of these processes and consider excluding specific scripts or directories from monitoring if they are verified as safe. +- System administrators or maintenance scripts may use shell commands following tar, rsync, or zip for legitimate purposes. Identify these routine operations and create exceptions for known safe parent processes or specific command patterns. +- Development environments or testing scenarios might involve intentional use of wildcard characters for testing purposes. Exclude these environments from the rule or adjust the rule to ignore specific user accounts or process paths associated with development activities. +- Scheduled tasks or cron jobs that involve the use of these binaries with wildcard flags can be mistaken for malicious activity. Verify the legitimacy of these tasks and exclude them based on their schedule or specific command line arguments. +- Security tools or monitoring solutions that simulate attacks for testing or validation purposes might trigger this rule. Ensure these tools are recognized and excluded from monitoring to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified in the alert, particularly those involving the execution of shell commands following the use of `tar`, `rsync`, or `zip`. +- Conduct a thorough review of the affected system's logs to identify any additional indicators of compromise or unauthorized access attempts. +- Restore the affected system from a known good backup if any unauthorized changes or malicious activities are confirmed. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Implement file integrity monitoring on critical systems to detect unauthorized changes to system binaries or configuration files. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" references = ["https://www.exploit-db.com/papers/33930"] risk_score = 47 rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a" @@ -73,64 +106,30 @@ sequence by host.id with maxspan=1s process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] by process.parent.entity_id ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Shell via Wildcard Injection Detected - -Wildcard injection exploits vulnerabilities in Linux command-line utilities by manipulating wildcard characters to execute unauthorized commands. Adversaries leverage this to escalate privileges or execute arbitrary code. The detection rule identifies suspicious use of vulnerable binaries like `tar`, `rsync`, and `zip` followed by shell execution, indicating potential exploitation attempts. - -### Possible investigation steps - -- Review the process details to identify the specific command executed, focusing on the process name and arguments, especially those involving `tar`, `rsync`, or `zip` with suspicious flags like `--checkpoint=*`, `-e*`, or `--unzip-command`. -- Examine the parent process information to determine if a shell process (e.g., `bash`, `sh`, `zsh`) was spawned, indicating potential exploitation. -- Check the process execution path to ensure it does not match the exclusion pattern `/tmp/newroot/*`, which might indicate a benign operation. -- Investigate the host's recent activity logs to identify any other suspicious or related events that might indicate a broader attack or compromise. -- Correlate the alert with any other security events or alerts from the same host to assess if this is part of a larger attack pattern or campaign. -- Assess the user account associated with the process execution to determine if it has the necessary privileges and if the activity aligns with expected behavior for that account. - -### False positive analysis - -- Legitimate use of tar, rsync, or zip with wildcard-related flags in automated scripts or backup processes can trigger false positives. Review the context of these processes and consider excluding specific scripts or directories from monitoring if they are verified as safe. -- System administrators or maintenance scripts may use shell commands following tar, rsync, or zip for legitimate purposes. Identify these routine operations and create exceptions for known safe parent processes or specific command patterns. -- Development environments or testing scenarios might involve intentional use of wildcard characters for testing purposes. Exclude these environments from the rule or adjust the rule to ignore specific user accounts or process paths associated with development activities. -- Scheduled tasks or cron jobs that involve the use of these binaries with wildcard flags can be mistaken for malicious activity. Verify the legitimacy of these tasks and exclude them based on their schedule or specific command line arguments. -- Security tools or monitoring solutions that simulate attacks for testing or validation purposes might trigger this rule. Ensure these tools are recognized and excluded from monitoring to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious processes identified in the alert, particularly those involving the execution of shell commands following the use of `tar`, `rsync`, or `zip`. -- Conduct a thorough review of the affected system's logs to identify any additional indicators of compromise or unauthorized access attempts. -- Restore the affected system from a known good backup if any unauthorized changes or malicious activities are confirmed. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Implement file integrity monitoring on critical systems to detect unauthorized changes to system binaries or configuration files. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 259c129272f..bd74f25d548 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,10 +13,52 @@ that can be chosen arbitrarily. By using the sudo privileges, the command "sudo representing the root user. This exploit may work for sudo versions prior to v1.28. """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Sudo Privilege Escalation via CVE-2019-14287" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Sudo Privilege Escalation via CVE-2019-14287 + +CVE-2019-14287 exploits a flaw in certain sudo versions, allowing users to execute commands as root by bypassing user ID verification. Attackers can misuse this to gain unauthorized root access, posing significant security risks. The detection rule identifies suspicious sudo commands indicative of this exploit, focusing on specific command patterns that translate to root execution, thereby alerting security teams to potential privilege escalation attempts. + +### Possible investigation steps + +- Review the alert details to confirm the presence of the suspicious command pattern "sudo -u#-1" in the process arguments, as this is indicative of the CVE-2019-14287 exploit attempt. +- Identify the user account associated with the process execution to determine if the user should have legitimate access to execute commands with elevated privileges. +- Examine the process execution timeline to identify any preceding or subsequent suspicious activities that might indicate a broader attack or compromise. +- Check the version of sudo installed on the affected system to verify if it is vulnerable to CVE-2019-14287, specifically versions prior to v1.28. +- Investigate the source IP address and hostname of the affected system to assess if it is part of a larger attack pattern or if there are other systems potentially compromised. +- Review system logs and audit trails for any additional unauthorized access attempts or privilege escalation activities around the time of the alert. +- If possible, isolate the affected system to prevent further unauthorized access while conducting a more thorough forensic analysis. + +### False positive analysis + +- Legitimate administrative tasks using sudo with unconventional user ID arguments may trigger the rule. Review the context of the command execution to determine if it aligns with expected administrative activities. +- Automated scripts or maintenance tools that use sudo with arbitrary user IDs for testing or configuration purposes might be flagged. Identify and document these scripts, then create exceptions in the monitoring system to exclude them from alerts. +- Development environments where developers have elevated privileges for testing purposes could generate false positives. Ensure that such environments are well-documented and consider excluding them from this specific rule if they consistently trigger alerts. +- Security tools or monitoring systems that simulate attacks for testing detection capabilities may inadvertently trigger this rule. Coordinate with security teams to whitelist these tools or adjust their configurations to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. +- Terminate any suspicious processes identified with the command pattern "sudo -u#-1" to halt any ongoing unauthorized activities. +- Conduct a thorough review of system logs and sudo logs to identify any additional unauthorized access attempts or successful privilege escalations. +- Reset passwords and review user accounts on the affected system to ensure no unauthorized accounts have been created or existing accounts have been compromised. +- Apply patches or upgrade sudo to a version later than v1.28 to mitigate the vulnerability exploited by CVE-2019-14287. +- Monitor the network for any signs of data exfiltration or further exploitation attempts, using enhanced logging and alerting mechanisms. +- Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and actions taken.""" references = ["https://www.exploit-db.com/exploits/47502"] risk_score = 47 rule_id = "8af5b42f-8d74-48c8-a8d0-6d14b4197288" @@ -69,41 +109,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "sudo" and process.args == "-u#-1" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Sudo Privilege Escalation via CVE-2019-14287 - -CVE-2019-14287 exploits a flaw in certain sudo versions, allowing users to execute commands as root by bypassing user ID verification. Attackers can misuse this to gain unauthorized root access, posing significant security risks. The detection rule identifies suspicious sudo commands indicative of this exploit, focusing on specific command patterns that translate to root execution, thereby alerting security teams to potential privilege escalation attempts. - -### Possible investigation steps - -- Review the alert details to confirm the presence of the suspicious command pattern "sudo -u#-1" in the process arguments, as this is indicative of the CVE-2019-14287 exploit attempt. -- Identify the user account associated with the process execution to determine if the user should have legitimate access to execute commands with elevated privileges. -- Examine the process execution timeline to identify any preceding or subsequent suspicious activities that might indicate a broader attack or compromise. -- Check the version of sudo installed on the affected system to verify if it is vulnerable to CVE-2019-14287, specifically versions prior to v1.28. -- Investigate the source IP address and hostname of the affected system to assess if it is part of a larger attack pattern or if there are other systems potentially compromised. -- Review system logs and audit trails for any additional unauthorized access attempts or privilege escalation activities around the time of the alert. -- If possible, isolate the affected system to prevent further unauthorized access while conducting a more thorough forensic analysis. - -### False positive analysis - -- Legitimate administrative tasks using sudo with unconventional user ID arguments may trigger the rule. Review the context of the command execution to determine if it aligns with expected administrative activities. -- Automated scripts or maintenance tools that use sudo with arbitrary user IDs for testing or configuration purposes might be flagged. Identify and document these scripts, then create exceptions in the monitoring system to exclude them from alerts. -- Development environments where developers have elevated privileges for testing purposes could generate false positives. Ensure that such environments are well-documented and consider excluding them from this specific rule if they consistently trigger alerts. -- Security tools or monitoring systems that simulate attacks for testing detection capabilities may inadvertently trigger this rule. Coordinate with security teams to whitelist these tools or adjust their configurations to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. -- Terminate any suspicious processes identified with the command pattern "sudo -u#-1" to halt any ongoing unauthorized activities. -- Conduct a thorough review of system logs and sudo logs to identify any additional unauthorized access attempts or successful privilege escalations. -- Reset passwords and review user accounts on the affected system to ensure no unauthorized accounts have been created or existing accounts have been compromised. -- Apply patches or upgrade sudo to a version later than v1.28 to mitigate the vulnerability exploited by CVE-2019-14287. -- Monitor the network for any signs of data exfiltration or further exploitation attempts, using enhanced logging and alerting mechanisms. -- Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and actions taken.""" [[rule.threat]] diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 110652ad38b..959c700af03 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,39 @@ index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sent language = "eql" license = "Elastic License v2" name = "Namespace Manipulation Using Unshare" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Namespace Manipulation Using Unshare + +The `unshare` command in Linux is used to create new namespaces, isolating processes from the rest of the system. This isolation is crucial for containerization and security. However, attackers can exploit `unshare` to break out of containers or elevate privileges by creating namespaces that bypass security controls. The detection rule identifies suspicious `unshare` executions by monitoring process starts, filtering out benign parent processes, and focusing on unusual usage patterns, thus highlighting potential misuse. + +### Possible investigation steps + +- Review the process tree to understand the context of the unshare execution, focusing on the parent process and any child processes spawned by unshare. +- Investigate the user account associated with the unshare execution to determine if it is a legitimate user or potentially compromised. +- Examine the command-line arguments used with unshare to identify any unusual or suspicious options that may indicate an attempt to bypass security controls. +- Check for any recent changes or anomalies in the system logs around the time of the unshare execution to identify potential indicators of compromise or privilege escalation attempts. +- Correlate the unshare event with other security alerts or logs to determine if it is part of a larger attack pattern or campaign. + +### False positive analysis + +- System management tools like udevadm and systemd-udevd may invoke unshare as part of their normal operations. These should be excluded by ensuring the rule filters out processes with these as parent executables. +- Snap package management can trigger unshare during its operations. Exclude processes where the arguments include /usr/bin/snap to prevent unnecessary alerts. +- Java applications might occasionally use unshare for legitimate purposes. Exclude processes with java as the parent name to reduce false positives. +- Custom scripts or administrative tasks that use unshare for legitimate namespace management should be reviewed and, if deemed safe, added to the exclusion list to prevent repeated alerts. + +### Response and remediation + +- Immediately isolate the affected system to prevent further unauthorized access or lateral movement within the network. +- Terminate any suspicious processes associated with the `unshare` command that do not have legitimate parent processes or arguments, as identified in the detection query. +- Conduct a thorough review of system logs and process trees to identify any additional unauthorized or suspicious activities that may have occurred in conjunction with the `unshare` execution. +- Revoke any unauthorized access or privileges that may have been granted as a result of the namespace manipulation, ensuring that all user and process permissions are appropriately restricted. +- Restore the affected system from a known good backup if any unauthorized changes or damage to the system integrity are detected. +- Implement additional monitoring and alerting for unusual `unshare` usage patterns to enhance detection capabilities and prevent future occurrences. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.""" references = [ "https://man7.org/linux/man-pages/man1/unshare.1.html", "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/", @@ -81,39 +112,6 @@ process.executable: "/usr/bin/unshare" and not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox-boot", "java") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Namespace Manipulation Using Unshare - -The `unshare` command in Linux is used to create new namespaces, isolating processes from the rest of the system. This isolation is crucial for containerization and security. However, attackers can exploit `unshare` to break out of containers or elevate privileges by creating namespaces that bypass security controls. The detection rule identifies suspicious `unshare` executions by monitoring process starts, filtering out benign parent processes, and focusing on unusual usage patterns, thus highlighting potential misuse. - -### Possible investigation steps - -- Review the process tree to understand the context of the unshare execution, focusing on the parent process and any child processes spawned by unshare. -- Investigate the user account associated with the unshare execution to determine if it is a legitimate user or potentially compromised. -- Examine the command-line arguments used with unshare to identify any unusual or suspicious options that may indicate an attempt to bypass security controls. -- Check for any recent changes or anomalies in the system logs around the time of the unshare execution to identify potential indicators of compromise or privilege escalation attempts. -- Correlate the unshare event with other security alerts or logs to determine if it is part of a larger attack pattern or campaign. - -### False positive analysis - -- System management tools like udevadm and systemd-udevd may invoke unshare as part of their normal operations. These should be excluded by ensuring the rule filters out processes with these as parent executables. -- Snap package management can trigger unshare during its operations. Exclude processes where the arguments include /usr/bin/snap to prevent unnecessary alerts. -- Java applications might occasionally use unshare for legitimate purposes. Exclude processes with java as the parent name to reduce false positives. -- Custom scripts or administrative tasks that use unshare for legitimate namespace management should be reviewed and, if deemed safe, added to the exclusion list to prevent repeated alerts. - -### Response and remediation - -- Immediately isolate the affected system to prevent further unauthorized access or lateral movement within the network. -- Terminate any suspicious processes associated with the `unshare` command that do not have legitimate parent processes or arguments, as identified in the detection query. -- Conduct a thorough review of system logs and process trees to identify any additional unauthorized or suspicious activities that may have occurred in conjunction with the `unshare` execution. -- Revoke any unauthorized access or privileges that may have been granted as a result of the namespace manipulation, ensuring that all user and process permissions are appropriately restricted. -- Restore the affected system from a known good backup if any unauthorized changes or damage to the system integrity are detected. -- Implement additional monitoring and alerting for unusual `unshare` usage patterns to enhance detection capabilities and prevent future occurrences. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.""" [[rule.threat]] diff --git a/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml b/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml new file mode 100644 index 00000000000..cd1e4aa5a67 --- /dev/null +++ b/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml @@ -0,0 +1,104 @@ +[metadata] +creation_date = "2025/03/25" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/04/07" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains. +""" +from = "now-9m" +index = ["logs-endpoint.events.network-*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Network Connection to Suspicious Top Level Domain" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Network Connection to Suspicious Top Level Domain + +In macOS environments, network connections are essential for communication and data exchange. Adversaries exploit this by connecting to suspicious top-level domains (TLDs) for command and control activities. The detection rule identifies unusual outbound connections to these TLDs, signaling potential threats. By monitoring specific domains, it helps detect and mitigate malicious activities early. + +### Possible investigation steps + +- Review the destination domain involved in the alert to determine if it is associated with known malicious activities or if it has been flagged in threat intelligence databases. +- Analyze the network traffic details related to the connection, including the source IP address and the volume of data transferred, to assess the nature and intent of the communication. +- Check the host system's recent activity logs for any unusual processes or applications that initiated the network connection, focusing on the event.type "start" to identify the triggering process. +- Investigate the user account associated with the host to determine if there have been any unauthorized access attempts or anomalies in user behavior. +- Correlate the alert with other security events or alerts from the same host or network segment to identify potential patterns or coordinated activities. +- Consult with threat intelligence sources or security forums to gather additional context on the specific top-level domain and its potential use in command and control operations. + +### False positive analysis + +- Legitimate business domains may use TLDs like .online or .store for marketing purposes. Review the domain's reputation and business context before marking it as a threat. +- Personal or small business websites might use TLDs such as .fun or .life. Verify the domain ownership and usage to determine if it is a false positive. +- Some educational or community projects might use TLDs like .club or .space. Check the domain's content and purpose to assess its legitimacy. +- Exclude known safe domains by adding them to an allowlist in your monitoring tool to prevent repeated false positives. +- Regularly update the allowlist based on user feedback and network behavior analysis to ensure it remains accurate and effective. + +### Response and remediation + +- Immediately isolate the affected macOS device from the network to prevent further communication with the suspicious domain. +- Conduct a thorough review of the network logs to identify any additional devices that may have communicated with the same suspicious domains and isolate them if necessary. +- Use endpoint security tools to perform a full malware scan on the affected device to identify and remove any malicious software. +- Reset credentials and review access permissions for any accounts that were active on the affected device to prevent unauthorized access. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if the threat is part of a larger attack campaign. +- Implement network-level blocking of the identified suspicious domains to prevent future connections from any device within the network. +- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to enhance detection and blocking of similar threats in the future. +""" +risk_score = 47 +rule_id = "ffa676dc-09b0-11f0-94ba-b66272739ecb" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.category : "network" and host.os.type : "macos" and event.type : "start" and +destination.domain : (*.team or *.lol or *.kr or *.ke or *.nu or *.space or + *.capital or *.in or *.cfd or *.online or *.ru or + *.info or *.top or *.buzz or *.xyz or *.rest or + *.ml or *.cf or *.gq or *.ga or *.onion or + *.network or *.monster or *.marketing or *.cyou or + *.quest or *.cc or *.bar or *.click or *.cam or + *.surf or *.tk or *.shop or *.club or *.icu or + *.pw or *.ws or *.hair or *.mom or + *.beauty or *.boats or *.fun or *.life or + *.store) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "destination.domain"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml new file mode 100644 index 00000000000..8da64a145eb --- /dev/null +++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml @@ -0,0 +1,194 @@ +[metadata] +creation_date = "2025/03/26" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/04/07" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains. +""" +from = "now-9m" +index = ["logs-endpoint.events.network-*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Network Connection to Suspicious Web Service" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Network Connection to Suspicious Web Service + +In macOS environments, network connections to web services are routine for data sharing and collaboration. However, adversaries exploit these services for command and control by disguising malicious traffic as legitimate. The detection rule identifies unusual outbound connections to known suspicious domains, flagging potential misuse by monitoring specific domain patterns and connection events, thus aiding in early threat detection. + +### Possible investigation steps + +- Review the destination domain and process executable from the alert to determine if it matches any expected web service communication. +- Check the event.category and event.type fields to confirm the nature of the network connection and ensure it aligns with the expected behavior of a macOS system. +- Investigate the source host identified by host.os.type to gather information about its recent activities, installed applications, and any potential indicators of compromise. +- Analyze network traffic logs for the source host to identify any other unusual or suspicious outbound connections that may indicate a broader compromise. +- Correlate the alert with other security events or alerts from the same host or network segment to identify patterns or related incidents. +- Consult threat intelligence sources to gather additional context on the flagged domain and assess its reputation and history of malicious activity. + +### False positive analysis + +- Frequent access to legitimate cloud storage services like Google Drive or Dropbox for routine file sharing can trigger false positives. Users can create exceptions for specific domains or IP addresses known to be safe and frequently accessed by their organization. +- Automated backup services that use domains such as OneDrive or SharePoint may be flagged. To mitigate this, identify and whitelist the specific services or applications that are part of regular backup operations. +- Collaboration tools like Slack or Discord, used for legitimate communication, might be mistakenly flagged. Users should review and whitelist these domains if they are part of standard business operations. +- URL shorteners like bit.ly or tinyurl.com used in marketing or communication campaigns can cause false alerts. Establish a list of trusted shortener services and exclude them from monitoring if they are regularly used by the organization. +- Development and testing environments using services like ngrok or localtunnel for temporary public URLs can be misidentified. Ensure these environments are documented and excluded from the rule if they are part of normal development workflows. + +### Response and remediation + +- Immediately isolate the affected macOS device from the network to prevent further communication with the suspicious domains. +- Conduct a thorough review of the network logs to identify any data exfiltration attempts or additional suspicious connections originating from the isolated device. +- Remove any unauthorized or suspicious applications or scripts found on the device that may be facilitating the outbound connections. +- Update the device's security software and perform a full system scan to detect and remove any malware or unauthorized software. +- Reset credentials and review access permissions for the affected user accounts to prevent unauthorized access. +- Monitor the network for any further attempts to connect to the flagged domains and ensure that alerts are configured to notify security teams of any recurrence. +- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign. +""" +risk_score = 47 +rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.category : "network" and host.os.type : "macos" and event.type : "start" and +destination.domain : ( + pastebin.* or + paste.ee or + ghostbin.com or + drive.google.com or + ?.docs.live.net or + api.dropboxapi.* or + content.dropboxapi.* or + *dl.dropboxusercontent.* or + api.onedrive.com or + *.onedrive.org or + onedrive.live.com or + filebin.net or + *.ngrok.io or + ngrok.com or + *.portmap.* or + *serveo.net or + *localtunnel.me or + *pagekite.me or + *localxpose.io or + *notabug.org or + rawcdn.githack.* or + paste.nrecom.net or + zerobin.net or + controlc.com or + requestbin.net or + api.slack.com or + slack-redir.net or + slack-files.com or + cdn.discordapp.com or + discordapp.com or + discord.com or + apis.azureedge.net or + cdn.sql.gg or + ?.top4top.io or + top4top.io or + uplooder.net or + *.cdnmegafiles.com or + transfer.sh or + updates.peer2profit.com or + api.telegram.org or + t.me or + meacz.gq or + rwrd.org or + *.publicvm.com or + *.blogspot.com or + api.mylnikov.org or + script.google.com or + script.googleusercontent.com or + paste4btc.com or + workupload.com or + temp.sh or + filetransfer.io or + gofile.io or + store?.gofile.io or + tiny.one or + api.notion.com or + *.sharepoint.com or + *upload.ee or + bit.ly or + t.ly or + cutt.ly or + mbasic.facebook.com or + api.gofile.io or + file.io or + api.anonfiles.com or + api.trello.com or + gist.githubusercontent.com or + dpaste.com or + *azurewebsites.net or + *.zulipchat.com or + *.4shared.com or + filecloud.me or + i.ibb.co or + files.catbox.moe or + *.getmyip.com or + mockbin.org or + webhook.site or + run.mocky.io or + *infinityfreeapp.com or + free.keep.sh or + tinyurl.com or + ftpupload.net or + lobfile.com or + *.ngrok-free.app or + myexternalip.com or + yandex.ru or + *.yandex.ru or + *.aternos.me or + cdn??.space or + *.pcloud.com or + mediafire.zip or + urlz.fr or + rentry.co or + *.b-cdn.net or + pastecode.dev or + i.imgur.com or + the.earth.li or + *.trycloudflare.com +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "destination.domain"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" \ No newline at end of file diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index d262945a716..999853954af 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -24,6 +22,42 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_process"] name = "Unusual Windows Process Calling the Metadata Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows Process Calling the Metadata Service + +In cloud environments, the metadata service provides essential instance information, including credentials and configuration data. Adversaries may exploit this by using atypical Windows processes to access the service, aiming to extract sensitive information. The detection rule leverages machine learning to identify anomalies in process behavior, flagging potential credential access attempts by unusual processes. + +### Possible investigation steps + +- Review the process name and command line arguments associated with the alert to identify any unusual or suspicious activity. +- Check the parent process of the flagged process to understand the context of how it was initiated and assess if it aligns with expected behavior. +- Investigate the user account under which the process was executed to determine if it has legitimate access to the metadata service or if it has been compromised. +- Analyze network logs to identify any outbound connections to the metadata service from the flagged process, noting any unusual patterns or destinations. +- Cross-reference the process and user activity with recent changes or deployments in the environment to rule out false positives related to legitimate administrative actions. +- Consult threat intelligence sources to see if the process or command line arguments have been associated with known malicious activity or campaigns. + +### False positive analysis + +- Routine system updates or maintenance scripts may trigger the rule. Review the process details and verify if they align with scheduled maintenance activities. If confirmed, consider adding these processes to an exception list. +- Legitimate software or security tools that access the metadata service for configuration purposes might be flagged. Identify these tools and create exceptions for their known processes to prevent future alerts. +- Automated backup or monitoring solutions that interact with the metadata service could be misidentified as threats. Validate these processes and exclude them if they are part of authorized operations. +- Custom scripts developed in-house for cloud management tasks may access the metadata service. Ensure these scripts are documented and, if safe, add them to the list of exceptions to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate the unusual process accessing the metadata service to stop any ongoing credential harvesting attempts. +- Conduct a thorough review of the system's event logs and process history to identify any additional indicators of compromise or related malicious activity. +- Change all credentials that may have been exposed or accessed through the metadata service to mitigate the risk of unauthorized access. +- Implement network segmentation to limit access to the metadata service, ensuring only authorized processes and users can interact with it. +- Escalate the incident to the security operations center (SOC) for further analysis and to determine if the threat is part of a larger attack campaign. +- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar anomalous process behaviors in the future.""" +risk_score = 21 +rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -68,8 +102,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -risk_score = 21 -rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" tags = [ "Domain: Endpoint", @@ -81,40 +113,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows Process Calling the Metadata Service - -In cloud environments, the metadata service provides essential instance information, including credentials and configuration data. Adversaries may exploit this by using atypical Windows processes to access the service, aiming to extract sensitive information. The detection rule leverages machine learning to identify anomalies in process behavior, flagging potential credential access attempts by unusual processes. - -### Possible investigation steps - -- Review the process name and command line arguments associated with the alert to identify any unusual or suspicious activity. -- Check the parent process of the flagged process to understand the context of how it was initiated and assess if it aligns with expected behavior. -- Investigate the user account under which the process was executed to determine if it has legitimate access to the metadata service or if it has been compromised. -- Analyze network logs to identify any outbound connections to the metadata service from the flagged process, noting any unusual patterns or destinations. -- Cross-reference the process and user activity with recent changes or deployments in the environment to rule out false positives related to legitimate administrative actions. -- Consult threat intelligence sources to see if the process or command line arguments have been associated with known malicious activity or campaigns. - -### False positive analysis - -- Routine system updates or maintenance scripts may trigger the rule. Review the process details and verify if they align with scheduled maintenance activities. If confirmed, consider adding these processes to an exception list. -- Legitimate software or security tools that access the metadata service for configuration purposes might be flagged. Identify these tools and create exceptions for their known processes to prevent future alerts. -- Automated backup or monitoring solutions that interact with the metadata service could be misidentified as threats. Validate these processes and exclude them if they are part of authorized operations. -- Custom scripts developed in-house for cloud management tasks may access the metadata service. Ensure these scripts are documented and, if safe, add them to the list of exceptions to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate the unusual process accessing the metadata service to stop any ongoing credential harvesting attempts. -- Conduct a thorough review of the system's event logs and process history to identify any additional indicators of compromise or related malicious activity. -- Change all credentials that may have been exposed or accessed through the metadata service to mitigate the risk of unauthorized access. -- Implement network segmentation to limit access to the metadata service, ensuring only authorized processes and users can interact with it. -- Escalate the incident to the security operations center (SOC) for further analysis and to determine if the threat is part of a larger attack campaign. -- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar anomalous process behaviors in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 5c56c751c2a..885dc3a8271 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -24,6 +22,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_user"] name = "Unusual Windows User Calling the Metadata Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows User Calling the Metadata Service + +Cloud platforms provide a metadata service that allows instances to access configuration data, including credentials. Adversaries may exploit this by using compromised Windows accounts to query the service, aiming to harvest sensitive information. The detection rule leverages machine learning to identify atypical access patterns by Windows users, flagging potential credential access attempts. + +### Possible investigation steps + +- Review the alert details to identify the specific Windows user account involved in the unusual access to the metadata service. +- Check the timestamp of the access attempt to correlate with any known scheduled tasks or legitimate user activities. +- Investigate the source IP address and device from which the metadata service was accessed to determine if it aligns with expected user behavior or known assets. +- Examine recent login and access logs for the identified user account to detect any other suspicious activities or anomalies. +- Assess whether there have been any recent changes to the user's permissions or roles that could explain the access attempt. +- Look for any other alerts or incidents involving the same user account or device to identify potential patterns of malicious behavior. +- Consult with the user or their manager to verify if the access was legitimate or if the account may have been compromised. + +### False positive analysis + +- Routine administrative tasks by IT personnel may trigger alerts. Review access logs to confirm legitimate administrative actions and consider whitelisting specific user accounts or IP addresses. +- Automated scripts or scheduled tasks that query the metadata service for configuration updates can be mistaken for suspicious activity. Identify these scripts and exclude them from the rule by adding them to an exception list. +- Cloud management tools that regularly access the metadata service for monitoring or configuration purposes might be flagged. Verify these tools and create exceptions for their known access patterns. +- Instances where legitimate software updates or patch management processes access the metadata service should be reviewed. Document these processes and exclude them from triggering alerts. +- Temporary access by third-party vendors or consultants may appear unusual. Ensure their access is documented and create temporary exceptions during their engagement period. + +### Response and remediation + +- Immediately isolate the affected Windows system from the network to prevent further unauthorized access to the metadata service. +- Revoke any potentially compromised credentials identified during the investigation and issue new credentials to affected users. +- Conduct a thorough review of access logs to identify any unauthorized data access or exfiltration attempts from the metadata service. +- Implement additional monitoring on the affected system and similar systems to detect any further anomalous access attempts. +- Escalate the incident to the security operations center (SOC) for a deeper investigation into potential lateral movement or other compromised systems. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Review and enhance access controls and permissions for the metadata service to ensure only authorized users can access sensitive information.""" +risk_score = 21 +rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -68,8 +104,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -risk_score = 21 -rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" tags = [ "Domain: Endpoint", @@ -81,42 +115,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows User Calling the Metadata Service - -Cloud platforms provide a metadata service that allows instances to access configuration data, including credentials. Adversaries may exploit this by using compromised Windows accounts to query the service, aiming to harvest sensitive information. The detection rule leverages machine learning to identify atypical access patterns by Windows users, flagging potential credential access attempts. - -### Possible investigation steps - -- Review the alert details to identify the specific Windows user account involved in the unusual access to the metadata service. -- Check the timestamp of the access attempt to correlate with any known scheduled tasks or legitimate user activities. -- Investigate the source IP address and device from which the metadata service was accessed to determine if it aligns with expected user behavior or known assets. -- Examine recent login and access logs for the identified user account to detect any other suspicious activities or anomalies. -- Assess whether there have been any recent changes to the user's permissions or roles that could explain the access attempt. -- Look for any other alerts or incidents involving the same user account or device to identify potential patterns of malicious behavior. -- Consult with the user or their manager to verify if the access was legitimate or if the account may have been compromised. - -### False positive analysis - -- Routine administrative tasks by IT personnel may trigger alerts. Review access logs to confirm legitimate administrative actions and consider whitelisting specific user accounts or IP addresses. -- Automated scripts or scheduled tasks that query the metadata service for configuration updates can be mistaken for suspicious activity. Identify these scripts and exclude them from the rule by adding them to an exception list. -- Cloud management tools that regularly access the metadata service for monitoring or configuration purposes might be flagged. Verify these tools and create exceptions for their known access patterns. -- Instances where legitimate software updates or patch management processes access the metadata service should be reviewed. Document these processes and exclude them from triggering alerts. -- Temporary access by third-party vendors or consultants may appear unusual. Ensure their access is documented and create temporary exceptions during their engagement period. - -### Response and remediation - -- Immediately isolate the affected Windows system from the network to prevent further unauthorized access to the metadata service. -- Revoke any potentially compromised credentials identified during the investigation and issue new credentials to affected users. -- Conduct a thorough review of access logs to identify any unauthorized data access or exfiltration attempts from the metadata service. -- Implement additional monitoring on the affected system and similar systems to detect any further anomalous access attempts. -- Escalate the incident to the security operations center (SOC) for a deeper investigation into potential lateral movement or other compromised systems. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Review and enhance access controls and permissions for the metadata service to ensure only authorized users can access sensitive information.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index b347de57fa9..af93615b61d 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -24,6 +22,47 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Powershell Script + +PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries often exploit its capabilities to execute malicious scripts, leveraging obfuscation to evade detection. The 'Suspicious Powershell Script' detection rule employs machine learning to identify unusual script characteristics, such as obfuscation, indicating potential threats. By analyzing these anomalies, the rule aids in early threat detection and mitigation. + +### Possible investigation steps + +- Review the alert details to identify the specific PowerShell script or command that triggered the detection, focusing on any obfuscated elements. +- Examine the source endpoint and user account associated with the alert to determine if the activity aligns with expected behavior or if it appears suspicious. +- Check the execution history on the affected endpoint for any other unusual or unauthorized PowerShell commands or scripts executed around the same time. +- Investigate the network activity from the source endpoint to identify any connections to known malicious IP addresses or domains. +- Correlate the alert with other security events or logs, such as antivirus alerts or firewall logs, to gather additional context and assess the potential impact. +- Consult threat intelligence sources to determine if the detected script or its components are associated with known malware or attack campaigns. + +### False positive analysis + +- Legitimate administrative scripts may trigger the rule due to obfuscation techniques used for efficiency or security. Review the script's purpose and source to determine its legitimacy. +- Automated deployment tools often use PowerShell scripts that appear obfuscated. Identify and whitelist these tools to prevent unnecessary alerts. +- Security software updates might use obfuscated scripts for protection against tampering. Verify the update source and add exceptions for known trusted vendors. +- Custom scripts developed in-house for specific tasks may use obfuscation for intellectual property protection. Document and exclude these scripts after confirming their safety. +- Regularly review and update the list of exceptions to ensure that only verified non-threatening scripts are excluded, maintaining the effectiveness of the detection rule. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate any suspicious PowerShell processes identified on the affected system to halt the execution of potentially harmful scripts. +- Conduct a thorough review of the PowerShell script logs and execution history on the affected system to identify any unauthorized or malicious commands executed. +- Restore the affected system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise. +- Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited. +- Implement enhanced monitoring for PowerShell activity across the network, focusing on detecting obfuscation and unusual script characteristics. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -68,12 +107,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" tags = [ "Domain: Endpoint", @@ -85,41 +118,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Powershell Script - -PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries often exploit its capabilities to execute malicious scripts, leveraging obfuscation to evade detection. The 'Suspicious Powershell Script' detection rule employs machine learning to identify unusual script characteristics, such as obfuscation, indicating potential threats. By analyzing these anomalies, the rule aids in early threat detection and mitigation. - -### Possible investigation steps - -- Review the alert details to identify the specific PowerShell script or command that triggered the detection, focusing on any obfuscated elements. -- Examine the source endpoint and user account associated with the alert to determine if the activity aligns with expected behavior or if it appears suspicious. -- Check the execution history on the affected endpoint for any other unusual or unauthorized PowerShell commands or scripts executed around the same time. -- Investigate the network activity from the source endpoint to identify any connections to known malicious IP addresses or domains. -- Correlate the alert with other security events or logs, such as antivirus alerts or firewall logs, to gather additional context and assess the potential impact. -- Consult threat intelligence sources to determine if the detected script or its components are associated with known malware or attack campaigns. - -### False positive analysis - -- Legitimate administrative scripts may trigger the rule due to obfuscation techniques used for efficiency or security. Review the script's purpose and source to determine its legitimacy. -- Automated deployment tools often use PowerShell scripts that appear obfuscated. Identify and whitelist these tools to prevent unnecessary alerts. -- Security software updates might use obfuscated scripts for protection against tampering. Verify the update source and add exceptions for known trusted vendors. -- Custom scripts developed in-house for specific tasks may use obfuscation for intellectual property protection. Document and exclude these scripts after confirming their safety. -- Regularly review and update the list of exceptions to ensure that only verified non-threatening scripts are excluded, maintaining the effectiveness of the detection rule. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate any suspicious PowerShell processes identified on the affected system to halt the execution of potentially harmful scripts. -- Conduct a thorough review of the PowerShell script logs and execution history on the affected system to identify any unauthorized or malicious commands executed. -- Restore the affected system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise. -- Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited. -- Implement enhanced monitoring for PowerShell activity across the network, focusing on detecting obfuscation and unusual script characteristics. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index c57a450b45d..e0e85483f1c 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -30,6 +28,17 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_user_name"] name = "Unusual Windows Username" +note = """## Triage and analysis + +### Investigating Unusual Windows Username +Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity? +- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -74,17 +83,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -note = """## Triage and analysis - -### Investigating Unusual Windows Username -Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation: -- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity? -- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. -- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. -- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index f283dc1c60d..b4a53fb620b 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -25,6 +23,15 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login"] name = "Unusual Windows Remote User" +note = """## Triage and analysis + +### Investigating Unusual Windows Remote User +Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? +- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -69,15 +76,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -note = """## Triage and analysis - -### Investigating Unusual Windows Remote User -Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: -- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? -- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 144f452f579..1aa71877419 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -22,6 +20,20 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_network_activity"] name = "Unusual Windows Network Activity" +note = """## Triage and analysis + +### Investigating Unusual Windows Network Activity +Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: +- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. +- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -66,20 +78,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -note = """## Triage and analysis - -### Investigating Unusual Windows Network Activity -Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: -- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? -- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. -- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? -- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. -- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. -- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. -- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 4c1b8cae645..01907278868 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -51,50 +49,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_rare_process_by_host_windows"] name = "Unusual Process For a Windows Host" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend -- Windows - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - -### Windows Integration Setup -The Windows integration allows you to monitor the Windows OS, services, applications, and more. - -#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: -- Go to the Kibana home page and click “Add integrations”. -- In the query bar, search for “Windows” and select the integration to see more details about it. -- Click “Add Windows”. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. -- Click “Save and Continue”. -- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). -""" note = """## Triage and analysis ### Investigating Unusual Process For a Windows Host @@ -159,6 +113,50 @@ This rule uses a machine learning job to detect a Windows process that is rare a references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 413b60866ec..ce8453a6836 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -27,6 +25,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_path_activity"] name = "Unusual Windows Path Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows Path Activity + +In corporate Windows environments, software is typically managed centrally, making execution from user or temporary directories uncommon. Adversaries exploit this by running malware from these atypical paths, bypassing standard security measures. The 'Unusual Windows Path Activity' detection rule leverages machine learning to identify such anomalies, flagging potential persistence or execution tactics used by attackers. + +### Possible investigation steps + +- Review the process name and path to determine if it is a known legitimate application or a suspicious executable. +- Check the parent process to understand how the process was initiated and if it correlates with expected user behavior or known software installations. +- Investigate the user account associated with the process execution to verify if the activity aligns with their typical usage patterns or if it appears anomalous. +- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged by any threat intelligence sources. +- Look into recent file modifications or creations in the directory from which the process was executed to identify any additional suspicious files or scripts. +- Analyze network connections initiated by the process to detect any unusual or unauthorized external communications. + +### False positive analysis + +- Software updates or installations by IT staff can trigger alerts when executed from temporary directories. To manage this, create exceptions for known IT processes or scripts that are regularly used for legitimate software deployment. +- Some legitimate applications may temporarily execute components from user directories during updates or initial setup. Identify these applications and add them to an allowlist to prevent unnecessary alerts. +- Developers or power users might run scripts or applications from non-standard directories for testing purposes. Establish a policy to document and approve such activities, and configure exceptions for these known cases. +- Automated tasks or scripts that are scheduled to run from user directories can be mistaken for malicious activity. Review and document these tasks, then configure the detection rule to exclude them from triggering alerts. +- Security tools or monitoring software might execute diagnostic or remediation scripts from temporary paths. Verify these activities and add them to an exception list to avoid false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malware and unauthorized access. +- Terminate any suspicious processes identified as running from atypical directories to halt malicious activity. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files. +- Review and restore any modified system processes or configurations to their original state to ensure system integrity. +- Collect and preserve relevant logs and evidence for further analysis and potential escalation to the incident response team. +- Escalate the incident to the security operations center (SOC) or incident response team if the threat persists or if there is evidence of broader compromise. +- Implement application whitelisting to prevent unauthorized execution of software from user or temporary directories in the future.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -71,9 +107,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" tags = [ "Domain: Endpoint", @@ -86,41 +119,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows Path Activity - -In corporate Windows environments, software is typically managed centrally, making execution from user or temporary directories uncommon. Adversaries exploit this by running malware from these atypical paths, bypassing standard security measures. The 'Unusual Windows Path Activity' detection rule leverages machine learning to identify such anomalies, flagging potential persistence or execution tactics used by attackers. - -### Possible investigation steps - -- Review the process name and path to determine if it is a known legitimate application or a suspicious executable. -- Check the parent process to understand how the process was initiated and if it correlates with expected user behavior or known software installations. -- Investigate the user account associated with the process execution to verify if the activity aligns with their typical usage patterns or if it appears anomalous. -- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged by any threat intelligence sources. -- Look into recent file modifications or creations in the directory from which the process was executed to identify any additional suspicious files or scripts. -- Analyze network connections initiated by the process to detect any unusual or unauthorized external communications. - -### False positive analysis - -- Software updates or installations by IT staff can trigger alerts when executed from temporary directories. To manage this, create exceptions for known IT processes or scripts that are regularly used for legitimate software deployment. -- Some legitimate applications may temporarily execute components from user directories during updates or initial setup. Identify these applications and add them to an allowlist to prevent unnecessary alerts. -- Developers or power users might run scripts or applications from non-standard directories for testing purposes. Establish a policy to document and approve such activities, and configure exceptions for these known cases. -- Automated tasks or scripts that are scheduled to run from user directories can be mistaken for malicious activity. Review and document these tasks, then configure the detection rule to exclude them from triggering alerts. -- Security tools or monitoring software might execute diagnostic or remediation scripts from temporary paths. Verify these activities and add them to an exception list to avoid false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malware and unauthorized access. -- Terminate any suspicious processes identified as running from atypical directories to halt malicious activity. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files. -- Review and restore any modified system processes or configurations to their original state to ensure system integrity. -- Collect and preserve relevant logs and evidence for further analysis and potential escalation to the incident response team. -- Escalate the incident to the security operations center (SOC) or incident response team if the threat persists or if there is evidence of broader compromise. -- Implement application whitelisting to prevent unauthorized execution of software from user or temporary directories in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index 661a857bcda..f9ada397b67 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -51,50 +49,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_all_hosts"] name = "Anomalous Process For a Windows Population" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend -- Windows - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - -### Windows Integration Setup -The Windows integration allows you to monitor the Windows OS, services, applications, and more. - -#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: -- Go to the Kibana home page and click “Add integrations”. -- In the query bar, search for “Windows” and select the integration to see more details about it. -- Click “Add Windows”. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. -- Click “Save and Continue”. -- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). -""" note = """## Triage and analysis ### Investigating Anomalous Process For a Windows Population @@ -159,6 +113,50 @@ This rule uses a machine learning job to detect a Windows process that is rare a references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index 9368ab82e28..f498ba198b9 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/03/25" integration = ["endpoint", "windows"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -54,50 +52,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_creation"] name = "Anomalous Windows Process Creation" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend -- Windows - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - -### Windows Integration Setup -The Windows integration allows you to monitor the Windows OS, services, applications, and more. - -#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: -- Go to the Kibana home page and click “Add integrations”. -- In the query bar, search for “Windows” and select the integration to see more details about it. -- Click “Add Windows”. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. -- Click “Save and Continue”. -- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). -""" note = """## Triage and analysis ### Investigating Anomalous Windows Process Creation @@ -162,6 +116,50 @@ This rule uses a machine learning job to detect an anomalous Windows process wit references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 0c129a5b911..de821662148 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -25,6 +23,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_service"] name = "Unusual Windows Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows Service + +Windows services are crucial for running background processes and applications. Adversaries exploit this by creating or modifying services to maintain persistence or execute unauthorized actions. The 'Unusual Windows Service' detection rule leverages machine learning to identify atypical services, flagging potential threats by comparing against known service patterns, thus aiding in early threat detection and response. + +### Possible investigation steps + +- Review the details of the detected unusual Windows service, including the service name, path, and any associated executables, to determine if it aligns with known legitimate services or appears suspicious. +- Check the creation and modification timestamps of the service to identify if it was recently added or altered, which could indicate unauthorized activity. +- Investigate the user account under which the service is running to assess if it has the necessary permissions and if the account has been compromised or misused. +- Cross-reference the service with known threat intelligence databases to see if it matches any known malware or persistence mechanisms. +- Analyze the network activity and connections associated with the service to identify any unusual or unauthorized communication patterns. +- Examine the host's event logs for any related entries that could provide additional context or evidence of malicious activity, such as failed login attempts or privilege escalation events. + +### False positive analysis + +- Legitimate software installations or updates may create new services that are flagged as unusual. Users should verify the source and purpose of the service before excluding it. +- Custom in-house applications often run unique services that can trigger alerts. Document these services and create exceptions to prevent future false positives. +- IT administrative tools might install services for management purposes. Confirm these tools are authorized and add them to an exception list if they are frequently flagged. +- Temporary services used for troubleshooting or testing can be mistaken for threats. Ensure these are removed after use or excluded if they are part of regular operations. +- Scheduled tasks that create services for specific operations might be flagged. Review these tasks and exclude them if they are part of normal business processes. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent potential lateral movement or data exfiltration by the unauthorized service. +- Terminate the unusual Windows service identified by the alert to stop any ongoing malicious activity. +- Conduct a thorough analysis of the service's executable and associated files to determine if they are malicious. Use endpoint detection and response (EDR) tools to assist in this analysis. +- Remove any malicious files or executables associated with the service from the system to ensure complete eradication of the threat. +- Restore the affected system from a known good backup if the service has caused significant changes or damage to the system. +- Monitor the system and network for any signs of re-infection or similar unusual service activity, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -69,9 +105,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" tags = [ "Domain: Endpoint", @@ -83,41 +116,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows Service - -Windows services are crucial for running background processes and applications. Adversaries exploit this by creating or modifying services to maintain persistence or execute unauthorized actions. The 'Unusual Windows Service' detection rule leverages machine learning to identify atypical services, flagging potential threats by comparing against known service patterns, thus aiding in early threat detection and response. - -### Possible investigation steps - -- Review the details of the detected unusual Windows service, including the service name, path, and any associated executables, to determine if it aligns with known legitimate services or appears suspicious. -- Check the creation and modification timestamps of the service to identify if it was recently added or altered, which could indicate unauthorized activity. -- Investigate the user account under which the service is running to assess if it has the necessary permissions and if the account has been compromised or misused. -- Cross-reference the service with known threat intelligence databases to see if it matches any known malware or persistence mechanisms. -- Analyze the network activity and connections associated with the service to identify any unusual or unauthorized communication patterns. -- Examine the host's event logs for any related entries that could provide additional context or evidence of malicious activity, such as failed login attempts or privilege escalation events. - -### False positive analysis - -- Legitimate software installations or updates may create new services that are flagged as unusual. Users should verify the source and purpose of the service before excluding it. -- Custom in-house applications often run unique services that can trigger alerts. Document these services and create exceptions to prevent future false positives. -- IT administrative tools might install services for management purposes. Confirm these tools are authorized and add them to an exception list if they are frequently flagged. -- Temporary services used for troubleshooting or testing can be mistaken for threats. Ensure these are removed after use or excluded if they are part of regular operations. -- Scheduled tasks that create services for specific operations might be flagged. Review these tasks and exclude them if they are part of normal business processes. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent potential lateral movement or data exfiltration by the unauthorized service. -- Terminate the unusual Windows service identified by the alert to stop any ongoing malicious activity. -- Conduct a thorough analysis of the service's executable and associated files to determine if they are malicious. Use endpoint detection and response (EDR) tools to assist in this analysis. -- Remove any malicious files or executables associated with the service from the system to ensure complete eradication of the threat. -- Restore the affected system from a known good backup if the service has caused significant changes or damage to the system. -- Monitor the system and network for any signs of re-infection or similar unusual service activity, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 17250cb6b83..8485f372dbb 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -25,6 +23,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_runas_event"] name = "Unusual Windows User Privilege Elevation Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows User Privilege Elevation Activity + +In Windows environments, privilege elevation tools like 'runas' allow users to execute programs with different user credentials, typically used by administrators. Adversaries exploit this to gain elevated access, often indicating account compromise. The detection rule leverages machine learning to identify atypical usage patterns of such tools, flagging potential unauthorized privilege escalation attempts. + +### Possible investigation steps + +- Review the specific user account involved in the alert to determine if it is a regular user or an administrator, as privilege elevation is more common among administrators. +- Check the timestamp of the alert to correlate with any known scheduled tasks or administrative activities that might explain the use of privilege elevation tools. +- Investigate the source IP address and device from which the privilege elevation attempt was made to verify if it aligns with the user's typical access patterns. +- Examine recent login activity for the user account to identify any unusual or unauthorized access attempts that could indicate account compromise. +- Look for any other security alerts or logs related to the same user or device around the time of the alert to gather additional context on potential malicious activity. +- Assess whether there have been any recent changes to user permissions or group memberships that could have facilitated the privilege elevation. + +### False positive analysis + +- Regular administrative tasks by domain or network administrators can trigger false positives. To manage this, create exceptions for known administrator accounts frequently using the runas command. +- Scheduled tasks or scripts that require privilege elevation might be flagged. Identify and exclude these tasks from monitoring if they are verified as safe and necessary for operations. +- Software updates or installations that require elevated privileges can also cause alerts. Maintain a list of approved software and update processes to exclude them from triggering the rule. +- Training or testing environments where privilege elevation is part of routine operations may generate false positives. Exclude these environments from the rule's scope to prevent unnecessary alerts. +- Third-party applications that use privilege elevation for legitimate purposes should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Revoke any elevated privileges granted to the compromised account and reset its password to prevent further misuse. +- Conduct a thorough review of recent activity logs for the affected account to identify any unauthorized actions or data access. +- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation. +- Restore any altered or compromised system configurations to their original state using backups or system snapshots. +- Implement additional monitoring on the affected system and account to detect any further suspicious activity. +- Review and update access controls and privilege management policies to minimize the risk of similar incidents in the future.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -69,9 +105,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" tags = [ "Domain: Endpoint", @@ -83,41 +116,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows User Privilege Elevation Activity - -In Windows environments, privilege elevation tools like 'runas' allow users to execute programs with different user credentials, typically used by administrators. Adversaries exploit this to gain elevated access, often indicating account compromise. The detection rule leverages machine learning to identify atypical usage patterns of such tools, flagging potential unauthorized privilege escalation attempts. - -### Possible investigation steps - -- Review the specific user account involved in the alert to determine if it is a regular user or an administrator, as privilege elevation is more common among administrators. -- Check the timestamp of the alert to correlate with any known scheduled tasks or administrative activities that might explain the use of privilege elevation tools. -- Investigate the source IP address and device from which the privilege elevation attempt was made to verify if it aligns with the user's typical access patterns. -- Examine recent login activity for the user account to identify any unusual or unauthorized access attempts that could indicate account compromise. -- Look for any other security alerts or logs related to the same user or device around the time of the alert to gather additional context on potential malicious activity. -- Assess whether there have been any recent changes to user permissions or group memberships that could have facilitated the privilege elevation. - -### False positive analysis - -- Regular administrative tasks by domain or network administrators can trigger false positives. To manage this, create exceptions for known administrator accounts frequently using the runas command. -- Scheduled tasks or scripts that require privilege elevation might be flagged. Identify and exclude these tasks from monitoring if they are verified as safe and necessary for operations. -- Software updates or installations that require elevated privileges can also cause alerts. Maintain a list of approved software and update processes to exclude them from triggering the rule. -- Training or testing environments where privilege elevation is part of routine operations may generate false positives. Exclude these environments from the rule's scope to prevent unnecessary alerts. -- Third-party applications that use privilege elevation for legitimate purposes should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Revoke any elevated privileges granted to the compromised account and reset its password to prevent further misuse. -- Conduct a thorough review of recent activity logs for the affected account to identify any unauthorized actions or data access. -- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation. -- Restore any altered or compromised system configurations to their original state using backups or system snapshots. -- Implement additional monitoring on the affected system and account to detect any further suspicious activity. -- Review and update access controls and privilege management policies to minimize the risk of similar incidents in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 998ef82e8d0..d38cd884d91 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Dumping - Detected - Elastic Endgame" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index ed000beca84..f46b90819c7 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Dumping - Prevented - Elastic Endgame" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index aab9803aab6..7dac55b3b2c 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Adversary Behavior - Detected - Elastic Endgame" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 31bbc4f7634..4daed0dfdcf 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malware - Detected - Elastic Endgame" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "critical" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 467ddcf812c..709de30d31d 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Malware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 9d23dc1b843..9f8c169466d 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,20 @@ description = """ Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Detected - Elastic Endgame" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" setup = """## Setup +### Additional notes -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. - -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "critical" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index b32b9b36ac8..28f96352a27 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Ransomware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index d47aedb63de..c74ed775d20 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Exploit - Detected - Elastic Endgame" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = [ "Data Source: Elastic Endgame", diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 9666184c917..9882090ac4d 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Exploit - Prevented - Elastic Endgame" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = [ "Data Source: Elastic Endgame", diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 98fd75797e7..c94fea89967 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/08" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ +from = "now-2m" index = [ "apm-*-transaction*", "traces-apm*", @@ -19,22 +20,20 @@ index = [ "packetbeat-*", "winlogbeat-*", ] +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "External Alerts" risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index f0314e447df..c828eafd159 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Manipulation - Detected - Elastic Endgame" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 25e26765377..654389a20dd 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Credential Manipulation - Prevented - Elastic Endgame" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 91f88ec9639..da56645fb6b 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Permission Theft - Detected - Elastic Endgame" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 5e40431547a..9b43b081eca 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Permission Theft - Prevented - Elastic Endgame" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 4294a157d34..38a36feec06 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-2m" index = ["endgame-*"] -interval = "10m" +interval = "1m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Process Injection - Detected - Elastic Endgame" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 296341418d8..5a5e8b7765d 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -10,24 +10,21 @@ description = """ Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ -from = "now-15m" +from = "now-1m" index = ["endgame-*"] -interval = "10m" +interval = "2m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Process Injection - Prevented - Elastic Endgame" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" setup = """## Setup -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml index bab9e900435..1d532f38b72 100644 --- a/rules/threat_intel/threat_intel_rapid7_threat_command.toml +++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/29" integration = ["ti_rapid7_threat_command"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for Rapid7 Threat Command Integration" -min_stack_version = "8.13.0" -updated_date = "2025/01/10" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -17,7 +15,7 @@ index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "wi interval = "30m" language = "kuery" license = "Elastic License v2" -max_signals = 10000 +max_signals = 1000 name = "Rapid7 Threat Command CVEs Correlation" note = """## Triage and analysis @@ -41,11 +39,11 @@ Additional investigation can be done by reviewing the source of the activity and """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", - "https://docs.elastic.co/integrations/ti_rapid7_threat_command"] + "https://docs.elastic.co/integrations/ti_rapid7_threat_command", +] risk_score = 99 rule_id = "3a657da0-1df2-11ef-a327-f661ea17fbcc" setup = """ - ## Setup This rule needs threat intelligence indicators to work. @@ -55,15 +53,9 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). -## Max Signals - -This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. +### Additional notes -**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. - -To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. - -**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "critical" tags = [ @@ -81,9 +73,6 @@ tags = [ threat_index = ["logs-ti_rapid7_threat_command_latest.vulnerability"] threat_indicator_path = "rapid7.tc.vulnerability" threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and vulnerability.id : * and event.module: ti_rapid7_threat_command -""" timestamp_override = "event.ingested" type = "threat_match" @@ -92,6 +81,12 @@ vulnerability.id : * ''' + +threat_query = ''' +@timestamp >= "now-30d/d" and vulnerability.id : * and event.module: ti_rapid7_threat_command +''' + + [[rule.filters]] [rule.filters."$state"] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 2baaf353390..97ba3fb44a3 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index d1d9311a1ef..d9df945ca5c 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,14 +2,13 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary +mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" @@ -63,7 +62,14 @@ references = [ risk_score = 47 rule_id = "54a81f68-5f2a-421e-8eed-f888278bb712" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -72,27 +78,28 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -104,7 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1005/" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -116,7 +122,9 @@ name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index c1accd7d8fc..55a17d1389e 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index d08e2472044..faf38d48834 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -105,27 +110,28 @@ event.category:process and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1" - +case_insensitive = true +value = "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" - +case_insensitive = true +value = "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 7e89556a964..6feee1d78f0 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 6e8c811794d..9a8eacb6ff0 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index cd618e1b03b..c0b7b9ffee0 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index e7afa981c67..cf95d2a9b3d 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating PowerShell Script with Webcam Video Capture Capabilities + +PowerShell, a powerful scripting language in Windows, can interface with system components like webcams for legitimate tasks such as video conferencing. However, adversaries exploit this by crafting scripts to covertly record video, infringing on privacy. The detection rule identifies suspicious script patterns and API calls linked to webcam access, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or API calls, such as "NewFrameEventHandler" or "VideoCaptureDevice". +- Check the process execution details, including the parent process, to determine how the PowerShell script was initiated and if it was part of a legitimate application or task. +- Investigate the user account under which the PowerShell script was executed to assess if the account has a history of suspicious activity or if it has been compromised. +- Examine the host's recent activity logs for any other unusual behavior or alerts that might correlate with the webcam access attempt, such as unauthorized access attempts or data exfiltration. +- Verify if the host has any legitimate applications that might use webcam access, and cross-reference with the script's behavior to rule out false positives. + +### False positive analysis + +- Legitimate video conferencing applications may trigger the detection rule due to their use of similar API calls and script patterns. Users can create exceptions for known and trusted applications by whitelisting their process names or script signatures. +- Security testing tools that simulate webcam access for vulnerability assessments might be flagged. To handle this, users should exclude these tools from monitoring during scheduled testing periods. +- System diagnostics or maintenance scripts that access webcam components for hardware checks can be mistaken for malicious activity. Users should document and exclude these scripts if they are part of routine system operations. +- Educational or training software that uses webcam access for interactive sessions may be incorrectly identified. Users can mitigate this by adding these applications to an allowlist after verifying their legitimacy. +- Custom scripts developed in-house for specific business needs that involve webcam access should be reviewed and, if deemed safe, excluded from the detection rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious PowerShell processes identified by the detection rule to stop ongoing webcam recording activities. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or software. +- Review and revoke any unauthorized access permissions or credentials that may have been compromised during the incident. +- Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious script. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for PowerShell activities across the network to detect and respond to similar threats more effectively in the future.""" references = [ "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py", ] @@ -68,40 +100,6 @@ event.category:process and host.os.type:windows and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating PowerShell Script with Webcam Video Capture Capabilities - -PowerShell, a powerful scripting language in Windows, can interface with system components like webcams for legitimate tasks such as video conferencing. However, adversaries exploit this by crafting scripts to covertly record video, infringing on privacy. The detection rule identifies suspicious script patterns and API calls linked to webcam access, flagging potential misuse for further investigation. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or API calls, such as "NewFrameEventHandler" or "VideoCaptureDevice". -- Check the process execution details, including the parent process, to determine how the PowerShell script was initiated and if it was part of a legitimate application or task. -- Investigate the user account under which the PowerShell script was executed to assess if the account has a history of suspicious activity or if it has been compromised. -- Examine the host's recent activity logs for any other unusual behavior or alerts that might correlate with the webcam access attempt, such as unauthorized access attempts or data exfiltration. -- Verify if the host has any legitimate applications that might use webcam access, and cross-reference with the script's behavior to rule out false positives. - -### False positive analysis - -- Legitimate video conferencing applications may trigger the detection rule due to their use of similar API calls and script patterns. Users can create exceptions for known and trusted applications by whitelisting their process names or script signatures. -- Security testing tools that simulate webcam access for vulnerability assessments might be flagged. To handle this, users should exclude these tools from monitoring during scheduled testing periods. -- System diagnostics or maintenance scripts that access webcam components for hardware checks can be mistaken for malicious activity. Users should document and exclude these scripts if they are part of routine system operations. -- Educational or training software that uses webcam access for interactive sessions may be incorrectly identified. Users can mitigate this by adding these applications to an allowlist after verifying their legitimacy. -- Custom scripts developed in-house for specific business needs that involve webcam access should be reviewed and, if deemed safe, excluded from the detection rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious PowerShell processes identified by the detection rule to stop ongoing webcam recording activities. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or software. -- Review and revoke any unauthorized access permissions or credentials that may have been compromised during the incident. -- Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious script. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for PowerShell activities across the network to detect and respond to similar threats more effectively in the future.""" [[rule.threat]] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index c17e967c850..0cbdbc6a134 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/02" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,12 +12,12 @@ preparation for exfiltration. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-m365_defender.event-*", - "logs-sentinel_one_cloud_funnel.*" + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -81,7 +79,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index a2a98c6bfba..d2af75605fd 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 3083a7f5f74..27ba25a1e43 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 6815716b957..7a9bf50f8f0 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Connection to Commonly Abused Free SSL Certificate Providers + +Free SSL certificates, like those from Let's Encrypt, enable secure web traffic encryption. Adversaries exploit these to mask malicious command and control (C2) communications. The detection rule identifies unusual Windows processes accessing domains with such certificates, excluding common false positives, to flag potential misuse of encrypted channels for C2 activities. + +### Possible investigation steps + +- Review the process executable path to confirm if it is a native Windows process and assess the legitimacy of its network activity. Focus on paths like "C:\\Windows\\System32\\*.exe" and "C:\\Windows\\SysWOW64\\*.exe". +- Investigate the specific domain accessed by the process, such as those ending in "*.letsencrypt.org" or "*.sslforfree.com", to determine if it is associated with known malicious activity or if it is a legitimate service. +- Check the process name against the list of excluded false positives, ensuring it is not "svchost.exe", "MicrosoftEdge*.exe", or "msedge.exe", which are common and typically benign. +- Analyze the network traffic associated with the process to identify any unusual patterns or anomalies that could indicate command and control activity. +- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities. + +### False positive analysis + +- Windows system processes like svchost.exe and MicrosoftEdge.exe are common false positives due to their legitimate network activities. These can be excluded from the detection rule to reduce noise. +- Regularly update the list of excluded processes to include any new system processes that are verified to have legitimate reasons for accessing domains with free SSL certificates. +- Monitor and analyze network traffic patterns to identify any additional processes that consistently generate false positives, and consider adding them to the exclusion list if they are deemed non-threatening. +- Use process whitelisting to allow known safe applications that frequently access these domains, ensuring they do not trigger alerts unnecessarily. +- Implement a review process to periodically reassess the exclusion list, ensuring it remains relevant and does not inadvertently allow malicious activities to go undetected. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious communication and potential lateral movement. +- Terminate any suspicious processes identified in the alert that are not typically associated with network activity, such as those running from unusual paths or with unexpected network connections. +- Conduct a thorough review of the system's recent activity logs to identify any unauthorized changes or additional indicators of compromise. +- Remove any malicious files or executables found on the system, ensuring that all remnants of the threat are eradicated. +- Restore the system from a known good backup if any critical system files or configurations have been altered. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" setup = """## Setup @@ -56,40 +88,6 @@ network where host.os.type == "windows" and network.protocol == "dns" and /* Insert noisy false positives here */ not process.name : ("svchost.exe", "MicrosoftEdge*.exe", "msedge.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Connection to Commonly Abused Free SSL Certificate Providers - -Free SSL certificates, like those from Let's Encrypt, enable secure web traffic encryption. Adversaries exploit these to mask malicious command and control (C2) communications. The detection rule identifies unusual Windows processes accessing domains with such certificates, excluding common false positives, to flag potential misuse of encrypted channels for C2 activities. - -### Possible investigation steps - -- Review the process executable path to confirm if it is a native Windows process and assess the legitimacy of its network activity. Focus on paths like "C:\\Windows\\System32\\*.exe" and "C:\\Windows\\SysWOW64\\*.exe". -- Investigate the specific domain accessed by the process, such as those ending in "*.letsencrypt.org" or "*.sslforfree.com", to determine if it is associated with known malicious activity or if it is a legitimate service. -- Check the process name against the list of excluded false positives, ensuring it is not "svchost.exe", "MicrosoftEdge*.exe", or "msedge.exe", which are common and typically benign. -- Analyze the network traffic associated with the process to identify any unusual patterns or anomalies that could indicate command and control activity. -- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities. - -### False positive analysis - -- Windows system processes like svchost.exe and MicrosoftEdge.exe are common false positives due to their legitimate network activities. These can be excluded from the detection rule to reduce noise. -- Regularly update the list of excluded processes to include any new system processes that are verified to have legitimate reasons for accessing domains with free SSL certificates. -- Monitor and analyze network traffic patterns to identify any additional processes that consistently generate false positives, and consider adding them to the exclusion list if they are deemed non-threatening. -- Use process whitelisting to allow known safe applications that frequently access these domains, ensuring they do not trigger alerts unnecessarily. -- Implement a review process to periodically reassess the exclusion list, ensuring it remains relevant and does not inadvertently allow malicious activities to go undetected. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious communication and potential lateral movement. -- Terminate any suspicious processes identified in the alert that are not typically associated with network activity, such as those running from unusual paths or with unexpected network connections. -- Conduct a thorough review of the system's recent activity logs to identify any unauthorized changes or additional indicators of compromise. -- Remove any malicious files or executables found on the system, ensuring that all remnants of the threat are eradicated. -- Restore the system from a known good backup if any critical system files or configurations have been altered. -- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 81abab1104f..58a321831a5 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 8e7ba96c2d3..7df227a7de5 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index 90f713db53b..4486f3e4757 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,9 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,43 +11,17 @@ Identifies modifications in registry keys associated with abuse of the Outlook H control or persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Outlook Home Page Registry Modification" -references = [ - "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/", - "https://github.com/trustedsec/specula" -] -risk_score = 47 -rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and - registry.path : ( - "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL" - ) and registry.data.strings : "*http*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +56,39 @@ The Outlook Home Page feature allows users to set a webpage as the default view - Review and analyze network logs to identify any outbound connections to suspicious domains or IP addresses, and block these at the firewall. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if other systems are affected. - Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and network activity.""" +references = [ + "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/", + "https://github.com/trustedsec/specula", +] +risk_score = 47 +rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and + registry.path : ( + "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL" + ) and registry.data.strings : "*http*" +''' [[rule.threat]] @@ -93,7 +98,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index cc1ee407e09..a5f8f32e7b7 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Port Forwarding Rule Addition" @@ -101,7 +106,6 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -109,6 +113,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 138ce8e3f7d..14e373d6b5f 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -103,7 +101,6 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -121,3 +118,4 @@ reference = "https://attack.mitre.org/techniques/T1021/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 8bb08c1cf17..82f163f5d20 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,11 +2,40 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -31,37 +60,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"}, - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 2bed2b5a903..cd047fec4d5 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,11 +2,40 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -31,37 +60,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 813cad05e4c..a6a497a812c 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 25f96b21f0e..274f0941273 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,15 +2,13 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution -abusing unauthorized access to the ScreenConnect remote access software. +Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate +execution abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" index = [ @@ -26,7 +24,44 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" -references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"] +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious ScreenConnect Client Child Process + +ScreenConnect, a remote access tool, facilitates legitimate remote support but can be exploited by adversaries to execute unauthorized commands. Malicious actors may spawn processes like PowerShell or cmd.exe via ScreenConnect to perform harmful activities. The detection rule identifies such suspicious child processes, focusing on unusual arguments and process names, indicating potential abuse of remote access capabilities. + +### Possible investigation steps + +- Review the parent process name to confirm it is one of the ScreenConnect client processes listed in the query, such as ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe, to verify the source of the suspicious activity. +- Examine the child process name and arguments, such as powershell.exe with encoded commands or cmd.exe with /c, to identify potentially malicious actions or commands being executed. +- Check the network activity associated with the suspicious process, especially if the process arguments include network-related terms like *http* or *downloadstring*, to determine if there is any unauthorized data exfiltration or command and control communication. +- Investigate the user account under which the suspicious process was executed to assess if the account has been compromised or is being misused. +- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activities. +- Review the system's recent activity and changes, such as new scheduled tasks or services created by schtasks.exe or sc.exe, to identify any persistence mechanisms that may have been established by the attacker. + +### False positive analysis + +- Legitimate IT support activities using ScreenConnect may trigger the rule when executing scripts or commands for maintenance. To manage this, identify and whitelist specific IT support accounts or IP addresses that regularly perform these actions. +- Automated scripts or scheduled tasks that use ScreenConnect for routine operations might be flagged. Review and document these scripts, then create exceptions for known benign processes and arguments. +- Software updates or installations initiated through ScreenConnect can appear suspicious. Maintain a list of approved software and update processes, and exclude these from the rule. +- Internal security tools or monitoring solutions that leverage ScreenConnect for legitimate purposes may be detected. Verify these tools and add them to an exclusion list to prevent false positives. +- Training sessions or demonstrations using ScreenConnect to showcase command-line tools could be misinterpreted as threats. Ensure these sessions are logged and recognized as non-threatening, and adjust the rule to accommodate these scenarios. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. +- Terminate any suspicious processes identified in the alert, such as PowerShell, cmd.exe, or other flagged executables, to halt any ongoing malicious activity. +- Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe or schtasks.exe. +- Conduct a thorough scan of the affected system using endpoint protection tools to identify and remove any malware or unauthorized software installed by the attacker. +- Restore the system from a known good backup if any critical system files or configurations have been altered or compromised. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" +references = [ + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", +] risk_score = 47 rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" severity = "medium" @@ -68,41 +103,6 @@ process where host.os.type == "windows" and event.type == "start" and "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious ScreenConnect Client Child Process - -ScreenConnect, a remote access tool, facilitates legitimate remote support but can be exploited by adversaries to execute unauthorized commands. Malicious actors may spawn processes like PowerShell or cmd.exe via ScreenConnect to perform harmful activities. The detection rule identifies such suspicious child processes, focusing on unusual arguments and process names, indicating potential abuse of remote access capabilities. - -### Possible investigation steps - -- Review the parent process name to confirm it is one of the ScreenConnect client processes listed in the query, such as ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe, to verify the source of the suspicious activity. -- Examine the child process name and arguments, such as powershell.exe with encoded commands or cmd.exe with /c, to identify potentially malicious actions or commands being executed. -- Check the network activity associated with the suspicious process, especially if the process arguments include network-related terms like *http* or *downloadstring*, to determine if there is any unauthorized data exfiltration or command and control communication. -- Investigate the user account under which the suspicious process was executed to assess if the account has been compromised or is being misused. -- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activities. -- Review the system's recent activity and changes, such as new scheduled tasks or services created by schtasks.exe or sc.exe, to identify any persistence mechanisms that may have been established by the attacker. - -### False positive analysis - -- Legitimate IT support activities using ScreenConnect may trigger the rule when executing scripts or commands for maintenance. To manage this, identify and whitelist specific IT support accounts or IP addresses that regularly perform these actions. -- Automated scripts or scheduled tasks that use ScreenConnect for routine operations might be flagged. Review and document these scripts, then create exceptions for known benign processes and arguments. -- Software updates or installations initiated through ScreenConnect can appear suspicious. Maintain a list of approved software and update processes, and exclude these from the rule. -- Internal security tools or monitoring solutions that leverage ScreenConnect for legitimate purposes may be detected. Verify these tools and add them to an exclusion list to prevent false positives. -- Training sessions or demonstrations using ScreenConnect to showcase command-line tools could be misinterpreted as threats. Ensure these sessions are logged and recognized as non-threatening, and adjust the rule to accommodate these scenarios. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. -- Terminate any suspicious processes identified in the alert, such as PowerShell, cmd.exe, or other flagged executables, to halt any ongoing malicious activity. -- Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe or schtasks.exe. -- Conduct a thorough scan of the affected system using endpoint protection tools to identify and remove any malware or unauthorized software installed by the attacker. -- Restore the system from a known good backup if any critical system files or configurations have been altered or compromised. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" [[rule.threat]] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 63d8333bd37..925a6eb1859 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index e9e8295dc50..cd8163a36fb 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,14 +2,13 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl to download files or upload data to a remote URL. +Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl to download files or upload data to a +remote URL. """ from = "now-9m" index = [ diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 1bc611fa876..991ae1f8477 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -2,15 +2,13 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Detects the execution of the VScode portable binary with the tunnel command line option indicating an -attempt to establish a remote tunnel session to Github or a remote VScode instance. +Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to +establish a remote tunnel session to Github or a remote VScode instance. """ from = "now-9m" index = [ @@ -26,35 +24,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Attempt to Establish VScode Remote Tunnel" -references = [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels" -] -risk_score = 47 -rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") and - not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +59,35 @@ Visual Studio Code (VScode) offers a remote tunnel feature enabling developers t - Restore the system from a known good backup if any unauthorized changes or malware are detected. - Implement network segmentation to limit the ability of similar threats to spread across the environment. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", +] +risk_score = 47 +rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") and + not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe") +''' [[rule.threat]] diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index 9fd97275a1b..e3c6af87519 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,6 +19,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential ADIDNS Poisoning via Wildcard Record Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential ADIDNS Poisoning via Wildcard Record Creation + +Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions allow authenticated users to create DNS records, which adversaries can exploit by adding wildcard records. This enables them to redirect traffic and perform Man-in-the-Middle attacks. The detection rule identifies such abuse by monitoring specific directory service changes indicative of wildcard record creation. + +### Possible investigation steps + +- Review the event logs on the affected Windows host to confirm the presence of event code 5137, which indicates a directory service object modification. +- Examine the ObjectDN field in the event data to identify the specific DNS zone where the wildcard record was created, ensuring it starts with "DC=*," to confirm the wildcard nature. +- Check the user account associated with the event to determine if it is a legitimate account or potentially compromised, focusing on any unusual or unauthorized activity. +- Investigate recent changes in the DNS zone to identify any other suspicious modifications or patterns that could indicate further malicious activity. +- Correlate the event with network traffic logs to detect any unusual or redirected traffic patterns that could suggest a Man-in-the-Middle attack. +- Assess the permissions and access controls on the DNS zones to ensure they are appropriately configured and restrict unnecessary modifications by authenticated users. + +### False positive analysis + +- Routine administrative changes to DNS records by IT staff can trigger alerts. To manage this, create exceptions for known administrative accounts or specific ObjectDN patterns that correspond to legitimate changes. +- Automated systems or scripts that update DNS records as part of regular maintenance may cause false positives. Identify these systems and exclude their activity from triggering alerts by filtering based on their unique identifiers or event sources. +- Software installations or updates that modify DNS settings might be flagged. Monitor and document these activities, and consider excluding them if they are part of a recognized and secure process. +- Changes made by trusted third-party services that integrate with ADIDNS could be misinterpreted as threats. Verify these services and whitelist their actions to prevent unnecessary alerts. +- Temporary testing environments that mimic production settings might generate alerts. Ensure these environments are clearly documented and excluded from monitoring if they are known to perform non-threatening wildcard record creations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further exploitation or data exfiltration. +- Revoke any potentially compromised credentials associated with the affected system or user accounts involved in the alert. +- Conduct a thorough review of DNS records in the affected zone to identify and remove any unauthorized wildcard entries. +- Implement stricter access controls on DNS record creation, limiting permissions to only necessary administrative accounts. +- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. +- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. +- Update detection mechanisms to include additional indicators of compromise related to ADIDNS abuse, enhancing future threat detection capabilities.""" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing", @@ -67,41 +100,6 @@ query = ''' any where host.os.type == "windows" and event.code == "5137" and startsWith(winlog.event_data.ObjectDN, "DC=*,") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential ADIDNS Poisoning via Wildcard Record Creation - -Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions allow authenticated users to create DNS records, which adversaries can exploit by adding wildcard records. This enables them to redirect traffic and perform Man-in-the-Middle attacks. The detection rule identifies such abuse by monitoring specific directory service changes indicative of wildcard record creation. - -### Possible investigation steps - -- Review the event logs on the affected Windows host to confirm the presence of event code 5137, which indicates a directory service object modification. -- Examine the ObjectDN field in the event data to identify the specific DNS zone where the wildcard record was created, ensuring it starts with "DC=*," to confirm the wildcard nature. -- Check the user account associated with the event to determine if it is a legitimate account or potentially compromised, focusing on any unusual or unauthorized activity. -- Investigate recent changes in the DNS zone to identify any other suspicious modifications or patterns that could indicate further malicious activity. -- Correlate the event with network traffic logs to detect any unusual or redirected traffic patterns that could suggest a Man-in-the-Middle attack. -- Assess the permissions and access controls on the DNS zones to ensure they are appropriately configured and restrict unnecessary modifications by authenticated users. - -### False positive analysis - -- Routine administrative changes to DNS records by IT staff can trigger alerts. To manage this, create exceptions for known administrative accounts or specific ObjectDN patterns that correspond to legitimate changes. -- Automated systems or scripts that update DNS records as part of regular maintenance may cause false positives. Identify these systems and exclude their activity from triggering alerts by filtering based on their unique identifiers or event sources. -- Software installations or updates that modify DNS settings might be flagged. Monitor and document these activities, and consider excluding them if they are part of a recognized and secure process. -- Changes made by trusted third-party services that integrate with ADIDNS could be misinterpreted as threats. Verify these services and whitelist their actions to prevent unnecessary alerts. -- Temporary testing environments that mimic production settings might generate alerts. Ensure these environments are clearly documented and excluded from monitoring if they are known to perform non-threatening wildcard record creations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further exploitation or data exfiltration. -- Revoke any potentially compromised credentials associated with the affected system or user accounts involved in the alert. -- Conduct a thorough review of DNS records in the affected zone to identify and remove any unauthorized wildcard entries. -- Implement stricter access controls on DNS record creation, limiting permissions to only necessary administrative accounts. -- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. -- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. -- Update detection mechanisms to include additional indicators of compromise related to ADIDNS abuse, enhancing future threat detection capabilities.""" [[rule.threat]] diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml index aefa64bd7b5..06fa86eb8d8 100644 --- a/rules/windows/credential_access_adidns_wpad_record.toml +++ b/rules/windows/credential_access_adidns_wpad_record.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/03" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential WPAD Spoofing via DNS Record Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential WPAD Spoofing via DNS Record Creation + +Web Proxy Auto-Discovery (WPAD) helps devices automatically detect proxy settings, crucial for network efficiency. However, attackers can exploit WPAD by creating malicious DNS records, tricking systems into using rogue proxies for data interception. The detection rule identifies suspicious DNS record changes, specifically targeting WPAD entries, to flag potential spoofing attempts, aiding in early threat detection and mitigation. + +### Possible investigation steps + +- Review the event logs for the specific event code "5137" to identify the creation or modification of the "wpad" DNS record. Focus on the details provided in the winlog.event_data.ObjectDN field to confirm the presence of "DC=wpad,*". +- Check the Active Directory change history to determine who made the changes to the DNS records and whether these changes were authorized. +- Investigate the user account associated with the directory service change event to assess if it has been compromised or if there are any signs of unauthorized access. +- Analyze network traffic to and from the "wpad" DNS record to identify any suspicious activity or connections to rogue proxy servers. +- Verify the configuration of the Global Query Block List (GQBL) to ensure it has not been disabled or altered, which could allow unauthorized WPAD entries. +- Cross-reference the alert with other security logs and alerts to identify any related suspicious activities or patterns that could indicate a broader attack campaign. + +### False positive analysis + +- Legitimate network changes may trigger alerts if a new WPAD DNS record is created intentionally for network configuration. Verify with network administrators if such changes were planned. +- Automated scripts or software updates that modify DNS records can cause false positives. Review the source of the change and consider excluding known benign scripts or update processes. +- Test environments often simulate DNS changes, including WPAD entries, for development purposes. Exclude these environments from monitoring if they are known to generate non-threatening alerts. +- Some organizations may have legacy systems that rely on WPAD configurations. Document these systems and create exceptions for their DNS changes to avoid unnecessary alerts. +- Regular audits of the Global Query Block List settings can help identify and exclude expected changes, reducing false positives related to WPAD record creation. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further data interception or lateral movement by the rogue proxy. +- Verify and restore the integrity of the DNS records by removing any unauthorized "wpad" entries and re-enabling the Global Query Block List (GQBL) if it was disabled. +- Conduct a thorough review of Active Directory logs to identify any unauthorized changes or suspicious activities related to directory service modifications. +- Reset credentials for any accounts that may have been compromised or accessed during the incident to prevent unauthorized access. +- Implement network segmentation to limit the exposure of critical systems to potential WPAD spoofing attacks. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or data were affected. +- Update and enhance monitoring rules to detect similar WPAD spoofing attempts in the future, ensuring timely alerts and responses.""" references = [ "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", "https://cube0x0.github.io/Pocing-Beyond-DA/", @@ -63,41 +96,6 @@ type = "eql" query = ''' any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential WPAD Spoofing via DNS Record Creation - -Web Proxy Auto-Discovery (WPAD) helps devices automatically detect proxy settings, crucial for network efficiency. However, attackers can exploit WPAD by creating malicious DNS records, tricking systems into using rogue proxies for data interception. The detection rule identifies suspicious DNS record changes, specifically targeting WPAD entries, to flag potential spoofing attempts, aiding in early threat detection and mitigation. - -### Possible investigation steps - -- Review the event logs for the specific event code "5137" to identify the creation or modification of the "wpad" DNS record. Focus on the details provided in the winlog.event_data.ObjectDN field to confirm the presence of "DC=wpad,*". -- Check the Active Directory change history to determine who made the changes to the DNS records and whether these changes were authorized. -- Investigate the user account associated with the directory service change event to assess if it has been compromised or if there are any signs of unauthorized access. -- Analyze network traffic to and from the "wpad" DNS record to identify any suspicious activity or connections to rogue proxy servers. -- Verify the configuration of the Global Query Block List (GQBL) to ensure it has not been disabled or altered, which could allow unauthorized WPAD entries. -- Cross-reference the alert with other security logs and alerts to identify any related suspicious activities or patterns that could indicate a broader attack campaign. - -### False positive analysis - -- Legitimate network changes may trigger alerts if a new WPAD DNS record is created intentionally for network configuration. Verify with network administrators if such changes were planned. -- Automated scripts or software updates that modify DNS records can cause false positives. Review the source of the change and consider excluding known benign scripts or update processes. -- Test environments often simulate DNS changes, including WPAD entries, for development purposes. Exclude these environments from monitoring if they are known to generate non-threatening alerts. -- Some organizations may have legacy systems that rely on WPAD configurations. Document these systems and create exceptions for their DNS changes to avoid unnecessary alerts. -- Regular audits of the Global Query Block List settings can help identify and exclude expected changes, reducing false positives related to WPAD record creation. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further data interception or lateral movement by the rogue proxy. -- Verify and restore the integrity of the DNS records by removing any unauthorized "wpad" entries and re-enabling the Global Query Block List (GQBL) if it was disabled. -- Conduct a thorough review of Active Directory logs to identify any unauthorized changes or suspicious activities related to directory service modifications. -- Reset credentials for any accounts that may have been compromised or accessed during the incident to prevent unauthorized access. -- Implement network segmentation to limit the exposure of critical systems to potential WPAD spoofing attacks. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or data were affected. -- Update and enhance monitoring rules to detect similar WPAD spoofing attempts in the future, ensuring timely alerts and responses.""" [[rule.threat]] diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 20b39abf7e7..acf397f3138 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 1a01a5b163a..aca1831644c 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index e3cf7a78f5b..a68638dd960 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 96caa2b51a0..70779e976fb 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 14e2e20d979..5057638d046 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index e6e093b01bb..2b04a3c5a5f 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 4c05c46ded4..0aae0785b6a 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,9 +2,7 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 92a17b401f3..510eb400440 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index 4375ab76ddb..da206e94d32 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -75,12 +73,21 @@ references = [ "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", - "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set" + "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set", ] risk_score = 47 rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -96,22 +103,22 @@ event.code:"5136" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" - [[rule.threat.technique]] - id = "T1003" - reference = "https://attack.mitre.org/techniques/T1003/" - name = "OS Credential Dumping" - - [[rule.threat.technique.subtechnique]] - id = "T1003.006" - reference = "https://attack.mitre.org/techniques/T1003/006/" - name = "DCSync" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 94d814c6284..f69365d6a48 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 4eb3b83a97b..4dd21727dec 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,6 +19,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Creation of a DNS-Named Record" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Creation of a DNS-Named Record + +Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions can be exploited by attackers to create DNS records for spoofing attacks, targeting services like WPAD. The detection rule identifies such abuse by monitoring specific Windows events related to DNS record creation, filtering out legitimate system accounts to highlight potential threats. + +### Possible investigation steps + +- Review the event logs for event code 5137 to identify the specific DNS-named record that was created and the associated timestamp. +- Examine the winlog.event_data.SubjectUserName field to determine the user account that initiated the DNS record creation, ensuring it is not a system account. +- Investigate the context around the winlog.event_data.ObjectClass field to confirm the object class is "dnsNode" and assess if the DNS record creation aligns with expected administrative activities. +- Check for any recent LLMNR/NBT-NS requests or network traffic that might indicate an attempt to exploit the newly created DNS record for spoofing purposes. +- Correlate the alert with other security events or logs to identify any patterns or anomalies that might suggest malicious intent or unauthorized access attempts. +- Assess the risk and impact of the DNS record creation by determining if it targets critical services like WPAD or other sensitive systems within the network. + +### False positive analysis + +- Legitimate administrative actions may trigger the rule when DNS records are created or modified by IT staff. To manage this, create exceptions for known administrative accounts that regularly perform these tasks. +- Automated system processes or scripts that update DNS records can also cause false positives. Identify these processes and exclude their associated accounts from the rule to prevent unnecessary alerts. +- Service accounts used by legitimate applications to dynamically update DNS records might be flagged. Review these accounts and add them to an exception list if they are verified as non-threatening. +- Temporary network changes or testing environments where DNS records are frequently modified can lead to false positives. Consider excluding these environments or specific IP ranges from the rule to reduce noise. +- Regularly review and update the exception list to ensure it reflects current network and administrative practices, minimizing the risk of overlooking genuine threats. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious DNS record creation and potential spoofing attacks. +- Review and remove any unauthorized DNS records created by non-system accounts, focusing on those targeting services like WPAD. +- Reset credentials for any accounts that were potentially compromised or used in the attack to prevent further unauthorized access. +- Implement stricter access controls on DNS record creation within Active Directory to limit permissions to only necessary and trusted accounts. +- Monitor for any further suspicious DNS record creation events, particularly those involving non-system accounts, to detect and respond to potential follow-up attacks. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or services were affected. +- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent similar incidents in the future.""" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing", @@ -67,41 +100,6 @@ query = ''' any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and not winlog.event_data.SubjectUserName : "*$" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Creation of a DNS-Named Record - -Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions can be exploited by attackers to create DNS records for spoofing attacks, targeting services like WPAD. The detection rule identifies such abuse by monitoring specific Windows events related to DNS record creation, filtering out legitimate system accounts to highlight potential threats. - -### Possible investigation steps - -- Review the event logs for event code 5137 to identify the specific DNS-named record that was created and the associated timestamp. -- Examine the winlog.event_data.SubjectUserName field to determine the user account that initiated the DNS record creation, ensuring it is not a system account. -- Investigate the context around the winlog.event_data.ObjectClass field to confirm the object class is "dnsNode" and assess if the DNS record creation aligns with expected administrative activities. -- Check for any recent LLMNR/NBT-NS requests or network traffic that might indicate an attempt to exploit the newly created DNS record for spoofing purposes. -- Correlate the alert with other security events or logs to identify any patterns or anomalies that might suggest malicious intent or unauthorized access attempts. -- Assess the risk and impact of the DNS record creation by determining if it targets critical services like WPAD or other sensitive systems within the network. - -### False positive analysis - -- Legitimate administrative actions may trigger the rule when DNS records are created or modified by IT staff. To manage this, create exceptions for known administrative accounts that regularly perform these tasks. -- Automated system processes or scripts that update DNS records can also cause false positives. Identify these processes and exclude their associated accounts from the rule to prevent unnecessary alerts. -- Service accounts used by legitimate applications to dynamically update DNS records might be flagged. Review these accounts and add them to an exception list if they are verified as non-threatening. -- Temporary network changes or testing environments where DNS records are frequently modified can lead to false positives. Consider excluding these environments or specific IP ranges from the rule to reduce noise. -- Regularly review and update the exception list to ensure it reflects current network and administrative practices, minimizing the risk of overlooking genuine threats. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious DNS record creation and potential spoofing attacks. -- Review and remove any unauthorized DNS records created by non-system accounts, focusing on those targeting services like WPAD. -- Reset credentials for any accounts that were potentially compromised or used in the attack to prevent further unauthorized access. -- Implement stricter access controls on DNS record creation within Active Directory to limit permissions to only necessary and trusted accounts. -- Monitor for any further suspicious DNS record creation events, particularly those involving non-system accounts, to detect and respond to potential follow-up attacks. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or services were affected. -- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent similar incidents in the future.""" [[rule.threat]] diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index 6e808140f3d..6a835e24579 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Relay Attack against a Domain Controller" -references = [ - "https://github.com/p0dalirius/windows-coerced-authentication-methods", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", - "https://attack.mitre.org/techniques/T1187/", -] -risk_score = 21 -rule_id = "263481c8-1e9b-492e-912d-d1760707f810" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and - winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and - - /* Filter for a machine account that matches the hostname */ - startswith~(host.name, substring(user.name, 0, -1)) and - - /* Verify if the Source IP belongs to the host */ - not endswith(string(source.ip), string(host.ip)) and - source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +51,39 @@ Domain Controllers (DCs) are critical in managing authentication within Windows - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Deploy additional monitoring and detection mechanisms to identify similar relay attack patterns in the future, enhancing the detection capabilities for NTLM relay attacks. - Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence, ensuring lessons learned are applied to improve overall security posture.""" +references = [ + "https://github.com/p0dalirius/windows-coerced-authentication-methods", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", + "https://attack.mitre.org/techniques/T1187/", +] +risk_score = 21 +rule_id = "263481c8-1e9b-492e-912d-d1760707f810" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and + winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and + + /* Filter for a machine account that matches the hostname */ + startswith~(host.name, substring(user.name, 0, -1)) and + + /* Verify if the Source IP belongs to the host */ + not endswith(string(source.ip), string(host.ip)) and + source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" +''' [[rule.threat]] @@ -105,6 +103,7 @@ name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 58d2a58bdf1..25f74db6270 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,15 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -28,7 +34,19 @@ references = [ risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index f1ccc8b6b77..18de8dbd6f7 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 6b1d013fbfe..01dd1f39038 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,41 +14,16 @@ the credentials present on the system without having to bring malware to the sys default, and applications must create their registry subkeys to hold settings that enable them to collect dumps. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Full User-Mode Dumps Enabled System-Wide" -references = [ - "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", -] -risk_score = 47 -rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" - ) and - registry.data.strings : ("2", "0x00000002") and - not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +58,37 @@ Full user-mode dumps are a diagnostic feature in Windows that captures detailed - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly. - Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar credential dumping techniques.""" +references = [ + "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", +] +risk_score = 47 +rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" + ) and + registry.data.strings : ("2", "0x00000002") and + not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) +''' [[rule.threat]] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 3982f2e52c9..ad8287b9688 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -29,35 +27,6 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" -references = [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", -] -risk_score = 73 -rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and - process.args : "connectionStrings" and process.args : "-pdf" -''' note = """## Triage and analysis > **Disclaimer**: @@ -93,6 +62,35 @@ Microsoft IIS often stores sensitive connection strings in encrypted form to sec - Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed. - Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query. - Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization.""" +references = [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", +] +risk_score = 73 +rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index 4238e58285e..cba25263080 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,9 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -17,43 +15,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Untrusted DLL Loaded by Azure AD Sync Service" -references = [ -"https://blog.xpnsec.com/azuread-connect-for-redteam/", -"https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252", -"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication" -] -risk_score = 73 -rule_id = "f909075d-afc7-42d7-b399-600b94352fd9" -severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and -( - (event.category == "library" and event.action == "load") or - (event.category == "process" and event.action : "Image loaded*") -) and - -not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not - - ( - /* Elastic defend DLL path */ - ?dll.path : - ("?:\\Windows\\assembly\\NativeImages*", - "?:\\Windows\\Microsoft.NET\\*", - "?:\\Windows\\WinSxS\\*", - "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or - - /* Sysmon DLL path is mapped to file.path */ - file.path : - ("?:\\Windows\\assembly\\NativeImages*", - "?:\\Windows\\Microsoft.NET\\*", - "?:\\Windows\\WinSxS\\*", - "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +50,51 @@ Azure AD Sync Service facilitates identity synchronization between on-premises d - Change all credentials that may have been exposed or compromised, focusing on those related to Azure AD and on-premises directory services. - Implement application whitelisting to prevent unauthorized DLLs from being loaded by critical processes like Azure AD Sync. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected.""" +references = [ + "https://blog.xpnsec.com/azuread-connect-for-redteam/", + "https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252", + "https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication", +] +risk_score = 73 +rule_id = "f909075d-afc7-42d7-b399-600b94352fd9" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and +( + (event.category == "library" and event.action == "load") or + (event.category == "process" and event.action : "Image loaded*") +) and + +not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not + + ( + /* Elastic defend DLL path */ + ?dll.path : + ("?:\\Windows\\assembly\\NativeImages*", + "?:\\Windows\\Microsoft.NET\\*", + "?:\\Windows\\WinSxS\\*", + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or + + /* Sysmon DLL path is mapped to file.path */ + file.path : + ("?:\\Windows\\assembly\\NativeImages*", + "?:\\Windows\\Microsoft.NET\\*", + "?:\\Windows\\WinSxS\\*", + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") + ) +''' [[rule.threat]] @@ -103,3 +109,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 7977da3371d..7f3932dcef5 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index f1587fef43e..8f5e1c47d75 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,20 +12,18 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*", "endgame-*", "logs-crowdstrike.fdr*"] +index = [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "winlogbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" -risk_score = 73 -rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" -severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" -''' note = """## Triage and analysis > **Disclaimer**: @@ -63,6 +59,28 @@ Kirbi files are associated with Kerberos, a network authentication protocol used - Revoke all active Kerberos tickets and force re-authentication for all users to ensure that any stolen tickets are rendered useless. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Implement enhanced monitoring and logging for Kerberos-related activities to detect and respond to similar threats more effectively in the future.""" +risk_score = 73 +rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" +''' [[rule.threat]] @@ -78,7 +96,6 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 5dda53662d0..61067e5b634 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Access to a Sensitive LDAP Attribute" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Access to a Sensitive LDAP Attribute + +LDAP (Lightweight Directory Access Protocol) is crucial for accessing and managing directory information in Active Directory environments. Adversaries may exploit LDAP to access sensitive attributes like passwords and decryption keys, facilitating credential theft or privilege escalation. The detection rule identifies unauthorized access attempts by monitoring specific event codes and attribute identifiers, excluding benign activities to reduce noise, thus highlighting potential security threats. + +### Possible investigation steps + +- Review the event logs for event code 4662 to identify the specific user or process attempting to access the sensitive LDAP attributes. +- Check the winlog.event_data.SubjectUserSid to determine the identity of the user or service account involved in the access attempt, excluding the well-known SID S-1-5-18 (Local System). +- Analyze the winlog.event_data.Properties field to confirm which sensitive attribute was accessed, such as unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens. +- Investigate the context of the access attempt by correlating the event with other logs or alerts around the same timestamp to identify any suspicious patterns or activities. +- Verify the legitimacy of the access by checking if the user or process has a valid reason or permission to access the sensitive attributes, considering the organization's access control policies. +- Assess the potential impact of the access attempt on the organization's security posture, focusing on credential theft or privilege escalation risks. +- Document findings and, if necessary, escalate the incident to the appropriate security team for further action or remediation. + +### False positive analysis + +- Access by legitimate administrative accounts: Regular access by system administrators to sensitive LDAP attributes can trigger alerts. To manage this, create exceptions for known administrative accounts by excluding their SIDs from the detection rule. +- Scheduled system processes: Automated tasks or system processes that require access to certain LDAP attributes may cause false positives. Identify these processes and exclude their specific event codes or AccessMasks if they are consistently benign. +- Service accounts: Service accounts that perform routine directory operations might access sensitive attributes as part of their normal function. Exclude these accounts by adding their SIDs to the exception list to prevent unnecessary alerts. +- Monitoring tools: Security or monitoring tools that scan directory attributes for compliance or auditing purposes can generate false positives. Whitelist these tools by excluding their event sources or specific actions from the detection criteria. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Conduct a thorough review of the access logs to identify any unauthorized users or systems that accessed the sensitive LDAP attributes. +- Reset passwords and revoke any potentially compromised credentials associated with the affected accounts, focusing on those with access to sensitive attributes. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. +- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to access sensitive LDAP attributes. +- Review and update access controls and permissions for sensitive LDAP attributes to ensure they are restricted to only necessary personnel. +- Conduct a post-incident analysis to identify any gaps in security controls and update policies or procedures to prevent similar incidents in the future.""" references = [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", @@ -81,41 +114,6 @@ any where event.code == "4662" and */ not winlog.event_data.AccessMask in ("0x0", "0x100") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Access to a Sensitive LDAP Attribute - -LDAP (Lightweight Directory Access Protocol) is crucial for accessing and managing directory information in Active Directory environments. Adversaries may exploit LDAP to access sensitive attributes like passwords and decryption keys, facilitating credential theft or privilege escalation. The detection rule identifies unauthorized access attempts by monitoring specific event codes and attribute identifiers, excluding benign activities to reduce noise, thus highlighting potential security threats. - -### Possible investigation steps - -- Review the event logs for event code 4662 to identify the specific user or process attempting to access the sensitive LDAP attributes. -- Check the winlog.event_data.SubjectUserSid to determine the identity of the user or service account involved in the access attempt, excluding the well-known SID S-1-5-18 (Local System). -- Analyze the winlog.event_data.Properties field to confirm which sensitive attribute was accessed, such as unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens. -- Investigate the context of the access attempt by correlating the event with other logs or alerts around the same timestamp to identify any suspicious patterns or activities. -- Verify the legitimacy of the access by checking if the user or process has a valid reason or permission to access the sensitive attributes, considering the organization's access control policies. -- Assess the potential impact of the access attempt on the organization's security posture, focusing on credential theft or privilege escalation risks. -- Document findings and, if necessary, escalate the incident to the appropriate security team for further action or remediation. - -### False positive analysis - -- Access by legitimate administrative accounts: Regular access by system administrators to sensitive LDAP attributes can trigger alerts. To manage this, create exceptions for known administrative accounts by excluding their SIDs from the detection rule. -- Scheduled system processes: Automated tasks or system processes that require access to certain LDAP attributes may cause false positives. Identify these processes and exclude their specific event codes or AccessMasks if they are consistently benign. -- Service accounts: Service accounts that perform routine directory operations might access sensitive attributes as part of their normal function. Exclude these accounts by adding their SIDs to the exception list to prevent unnecessary alerts. -- Monitoring tools: Security or monitoring tools that scan directory attributes for compliance or auditing purposes can generate false positives. Whitelist these tools by excluding their event sources or specific actions from the detection criteria. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Conduct a thorough review of the access logs to identify any unauthorized users or systems that accessed the sensitive LDAP attributes. -- Reset passwords and revoke any potentially compromised credentials associated with the affected accounts, focusing on those with access to sensitive attributes. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. -- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to access sensitive LDAP attributes. -- Review and update access controls and permissions for sensitive LDAP attributes to ensure they are restricted to only necessary personnel. -- Conduct a post-incident analysis to identify any gaps in security controls and update policies or procedures to prevent similar incidents in the future.""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index c3881e95792..3ec2f3d6502 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,9 +2,7 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Suspicious LSASS Access via MalSecLogon" -references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] -risk_score = 73 -rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.code == "10" and - winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and - - /* seclogon service accessing lsass */ - winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and - - /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */ - winlog.event_data.GrantedAccess == "0x14c0" -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +50,39 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s - Collect and preserve relevant logs and forensic data from the affected system for further analysis and potential legal action. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach. - Implement additional monitoring and alerting for similar suspicious activities involving LSASS and seclogon.dll to enhance detection capabilities.""" +references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] +risk_score = 73 +rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* seclogon service accessing lsass */ + winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and + + /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */ + winlog.event_data.GrantedAccess == "0x14c0" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 31610e3dd41..2dd0821b645 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,14 @@ indicate a credential access attempt via trusted system utilities such as Task M (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "LSASS Memory Dump Creation" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 4a1f3af0b96..eb631b3b352 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index addbde90c98..f85adb5f6f8 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,15 +2,20 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index ef51cb564a2..1ae501525f9 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 7dd04a08fe6..00f419dbbcb 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ an endpoint. Once the UseLogonCredential value is modified, the adversary may at memory. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Modification of WDigest Security Provider" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 6ffc0fe8fc4..3f82b5ebbed 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,13 @@ during user logon. """ false_positives = ["Authorized third party network logon providers."] from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Network Logon Provider Registry Modification" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 4f7d07531b8..5ed3b282ed1 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 49ae8aa5e85..e8db8ccd2bd 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 9a743631e87..5be837e3534 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 84466912e4b..6909bc97c9b 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2025/01/10" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell Pass-the-Hash/Relay Script" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential PowerShell Pass-the-Hash/Relay Script + +PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell to perform pass-the-hash attacks, where they use stolen hashed credentials to authenticate without knowing the actual password. The detection rule identifies scripts attempting to execute such attacks by monitoring for specific NTLM negotiation patterns and hex sequences indicative of credential relay activities, while excluding legitimate system processes. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or hex sequences, such as "NTLMSSPNegotiate" or specific hex values like "4E544C4D53535000". +- Check the process execution details, including the parent process and command line arguments, to determine if the script was executed by a legitimate user or process. +- Investigate the source and destination IP addresses involved in the NTLM negotiation to identify any unusual or unauthorized network activity. +- Examine the user account associated with the process to verify if it has been compromised or if there are any signs of unauthorized access. +- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify potential lateral movement or further compromise. +- Assess the file directory from which the script was executed, ensuring it is not a known safe location like "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads", which is excluded in the query. + +### False positive analysis + +- Legitimate system processes may occasionally trigger the rule if they perform operations that mimic NTLM negotiation patterns. To manage this, users can create exceptions for specific processes known to be safe by excluding their file paths or hashes. +- Security tools or network monitoring solutions that perform NTLM authentication checks might generate false positives. Users should identify these tools and exclude their associated scripts or directories from the detection rule. +- Automated scripts for system administration that involve NTLM authentication could be flagged. Review these scripts and, if verified as safe, add them to an exclusion list based on their directory or script block text. +- PowerShell scripts used for legitimate penetration testing or security assessments may trigger alerts. Ensure these activities are documented and exclude the relevant scripts or directories during the testing period. +- Regular updates or patches from Microsoft might include scripts that temporarily match the detection criteria. Monitor updates and adjust exclusions as necessary to prevent false positives from these legitimate updates. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further credential relay or unauthorized access. +- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. +- Conduct a thorough review of recent authentication logs and network traffic from the isolated system to identify any lateral movement or additional compromised accounts. +- Reset passwords for any accounts suspected to be compromised, ensuring that new credentials are not reused or easily guessable. +- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known exploits used in pass-the-hash attacks. +- Implement network segmentation to limit the spread of similar attacks in the future, focusing on restricting access to critical systems and sensitive data. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", @@ -68,41 +101,6 @@ event.category:process and host.os.type:windows and ) and not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential PowerShell Pass-the-Hash/Relay Script - -PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell to perform pass-the-hash attacks, where they use stolen hashed credentials to authenticate without knowing the actual password. The detection rule identifies scripts attempting to execute such attacks by monitoring for specific NTLM negotiation patterns and hex sequences indicative of credential relay activities, while excluding legitimate system processes. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or hex sequences, such as "NTLMSSPNegotiate" or specific hex values like "4E544C4D53535000". -- Check the process execution details, including the parent process and command line arguments, to determine if the script was executed by a legitimate user or process. -- Investigate the source and destination IP addresses involved in the NTLM negotiation to identify any unusual or unauthorized network activity. -- Examine the user account associated with the process to verify if it has been compromised or if there are any signs of unauthorized access. -- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify potential lateral movement or further compromise. -- Assess the file directory from which the script was executed, ensuring it is not a known safe location like "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads", which is excluded in the query. - -### False positive analysis - -- Legitimate system processes may occasionally trigger the rule if they perform operations that mimic NTLM negotiation patterns. To manage this, users can create exceptions for specific processes known to be safe by excluding their file paths or hashes. -- Security tools or network monitoring solutions that perform NTLM authentication checks might generate false positives. Users should identify these tools and exclude their associated scripts or directories from the detection rule. -- Automated scripts for system administration that involve NTLM authentication could be flagged. Review these scripts and, if verified as safe, add them to an exclusion list based on their directory or script block text. -- PowerShell scripts used for legitimate penetration testing or security assessments may trigger alerts. Ensure these activities are documented and exclude the relevant scripts or directories during the testing period. -- Regular updates or patches from Microsoft might include scripts that temporarily match the detection criteria. Monitor updates and adjust exclusions as necessary to prevent false positives from these legitimate updates. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further credential relay or unauthorized access. -- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. -- Conduct a thorough review of recent authentication logs and network traffic from the isolated system to identify any lateral movement or additional compromised accounts. -- Reset passwords for any accounts suspected to be compromised, ensuring that new credentials are not reused or easily guessable. -- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known exploits used in pass-the-hash attacks. -- Implement network segmentation to limit the spread of similar attacks in the future, focusing on restricting access to critical systems and sensitive data. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index f2e118fe27b..fefc704e0ae 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index d5fe9c97410..4135f1a25a3 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Veeam Credential Access Capabilities" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating PowerShell Script with Veeam Credential Access Capabilities + +PowerShell, a powerful scripting language in Windows environments, can be exploited by attackers to access and decrypt sensitive credentials, such as those stored by Veeam in MSSQL databases. Adversaries may leverage this to compromise backup data, facilitating ransomware attacks. The detection rule identifies suspicious script activity by monitoring specific database interactions and decryption attempts, flagging potential credential access threats. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify any references to "[dbo].[Credentials]" and "Veeam" or "VeeamBackup" to confirm potential credential access attempts. +- Check the event logs for the specific host where the alert was triggered to gather additional context about the process execution, including the user account involved and the script's origin. +- Investigate any recent changes or access to the MSSQL database containing Veeam credentials to determine if there were unauthorized access attempts or modifications. +- Analyze the use of "ProtectedStorage]::GetLocalString" within the script to understand if it was used to decrypt or access sensitive information. +- Correlate the alert with other security events or logs from the same host or network segment to identify any related suspicious activities or patterns that could indicate a broader attack. + +### False positive analysis + +- Routine administrative scripts that query MSSQL databases for maintenance purposes may trigger the rule. To manage this, identify and whitelist specific scripts or processes that are known to be safe and regularly executed by trusted administrators. +- Scheduled tasks or automated backup verification processes that access Veeam credentials for legitimate reasons can be mistaken for malicious activity. Exclude these tasks by specifying their unique identifiers or execution paths in the monitoring system. +- Security audits or compliance checks that involve accessing credential information for validation purposes might be flagged. Coordinate with the audit team to document these activities and create exceptions for their scripts. +- Development or testing environments where PowerShell scripts are used to simulate credential access for testing purposes can generate false positives. Implement environment-specific exclusions to prevent these from being flagged in production monitoring. +- Third-party monitoring tools that interact with Veeam credentials for health checks or performance monitoring may inadvertently trigger alerts. Work with the tool vendors to understand their access patterns and exclude them if they are verified as non-threatening. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing credential access attempts. +- Change all Veeam-related credentials and any other potentially compromised credentials stored in the MSSQL database to prevent further unauthorized access. +- Conduct a thorough review of backup integrity and ensure that no unauthorized modifications or deletions have occurred. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring for PowerShell activity and MSSQL database access to detect similar threats in the future. +- Review and update access controls and permissions for Veeam and MSSQL databases to ensure they follow the principle of least privilege.""" references = [ "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/", @@ -63,40 +95,6 @@ event.category:process and host.os.type:windows and "ProtectedStorage]::GetLocalString" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating PowerShell Script with Veeam Credential Access Capabilities - -PowerShell, a powerful scripting language in Windows environments, can be exploited by attackers to access and decrypt sensitive credentials, such as those stored by Veeam in MSSQL databases. Adversaries may leverage this to compromise backup data, facilitating ransomware attacks. The detection rule identifies suspicious script activity by monitoring specific database interactions and decryption attempts, flagging potential credential access threats. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify any references to "[dbo].[Credentials]" and "Veeam" or "VeeamBackup" to confirm potential credential access attempts. -- Check the event logs for the specific host where the alert was triggered to gather additional context about the process execution, including the user account involved and the script's origin. -- Investigate any recent changes or access to the MSSQL database containing Veeam credentials to determine if there were unauthorized access attempts or modifications. -- Analyze the use of "ProtectedStorage]::GetLocalString" within the script to understand if it was used to decrypt or access sensitive information. -- Correlate the alert with other security events or logs from the same host or network segment to identify any related suspicious activities or patterns that could indicate a broader attack. - -### False positive analysis - -- Routine administrative scripts that query MSSQL databases for maintenance purposes may trigger the rule. To manage this, identify and whitelist specific scripts or processes that are known to be safe and regularly executed by trusted administrators. -- Scheduled tasks or automated backup verification processes that access Veeam credentials for legitimate reasons can be mistaken for malicious activity. Exclude these tasks by specifying their unique identifiers or execution paths in the monitoring system. -- Security audits or compliance checks that involve accessing credential information for validation purposes might be flagged. Coordinate with the audit team to document these activities and create exceptions for their scripts. -- Development or testing environments where PowerShell scripts are used to simulate credential access for testing purposes can generate false positives. Implement environment-specific exclusions to prevent these from being flagged in production monitoring. -- Third-party monitoring tools that interact with Veeam credentials for health checks or performance monitoring may inadvertently trigger alerts. Work with the tool vendors to understand their access patterns and exclude them if they are verified as non-threatening. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing credential access attempts. -- Change all Veeam-related credentials and any other potentially compromised credentials stored in the MSSQL database to prevent further unauthorized access. -- Conduct a thorough review of backup integrity and ensure that no unauthorized modifications or deletions have occurred. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring for PowerShell activity and MSSQL database access to detect similar threats in the future. -- Review and update access controls and permissions for Veeam and MSSQL databases to ensure they follow the principle of least privilege.""" [[rule.threat]] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index e3a407c175f..be2132762d3 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,38 +15,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via DuplicateHandle in LSASS" -references = ["https://github.com/CCob/MirrorDump"] -risk_score = 47 -rule_id = "02a4576a-7480-4284-9327-548a806b5e48" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.code == "10" and - - /* LSASS requesting DuplicateHandle access right to another process */ - process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and - - /* call is coming from an unknown executable region */ - winlog.event_data.CallTrace : "*UNKNOWN*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +49,38 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for enforcing - Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar unauthorized access attempts in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for LSASS and related processes to detect any future attempts to exploit the DuplicateHandle function.""" +references = ["https://github.com/CCob/MirrorDump"] +risk_score = 47 +rule_id = "02a4576a-7480-4284-9327-548a806b5e48" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.code == "10" and + + /* LSASS requesting DuplicateHandle access right to another process */ + process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and + + /* call is coming from an unknown executable region */ + winlog.event_data.CallTrace : "*UNKNOWN*" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 990d0407c58..bb46707c121 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Local NTLM Relay via HTTP" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Local NTLM Relay via HTTP + +NTLM, a suite of Microsoft security protocols, is often targeted by adversaries for credential theft. Attackers may exploit the Windows Printer Spooler service to coerce NTLM authentication over HTTP, potentially elevating privileges. The detection rule identifies suspicious rundll32.exe executions invoking WebDAV client DLLs with specific arguments, signaling attempts to access named pipes via HTTP, indicative of NTLM relay attacks. + +### Possible investigation steps + +- Review the process execution details for rundll32.exe, focusing on the specific arguments related to davclnt.dll and DavSetCookie, to confirm the presence of suspicious WebDAV client activity. +- Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing "/print/pipe/", "/pipe/spoolss", or "/pipe/srvsvc". +- Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity. +- Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited. +- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner. + +### False positive analysis + +- Legitimate administrative tasks using rundll32.exe with WebDAV client DLLs may trigger the rule. Review the context of the execution, such as the user account and the timing, to determine if it aligns with expected administrative activities. +- Automated software deployment or update processes might use similar rundll32.exe calls. Verify if the process is part of a scheduled or known deployment task and consider excluding these specific processes from the rule. +- Some third-party applications may use WebDAV for legitimate purposes, which could mimic the behavior detected by the rule. Identify these applications and create exceptions for their known processes to prevent false alerts. +- System maintenance scripts or tools that interact with network resources via HTTP might inadvertently match the rule's criteria. Ensure these scripts are documented and exclude them if they are verified as non-threatening. +- Regularly review and update the exclusion list to accommodate changes in legitimate software behavior, ensuring that only verified false positives are excluded to maintain the rule's effectiveness. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious rundll32.exe processes identified in the alert to stop ongoing malicious activity. +- Conduct a thorough review of the affected system's event logs and network traffic to identify any additional indicators of compromise or related malicious activity. +- Reset credentials for any accounts that may have been exposed or compromised during the attack to prevent unauthorized access. +- Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities. +- Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" references = [ "https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", @@ -63,41 +96,6 @@ process where host.os.type == "windows" and event.type == "start" and /* Access to named pipe via http */ process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Local NTLM Relay via HTTP - -NTLM, a suite of Microsoft security protocols, is often targeted by adversaries for credential theft. Attackers may exploit the Windows Printer Spooler service to coerce NTLM authentication over HTTP, potentially elevating privileges. The detection rule identifies suspicious rundll32.exe executions invoking WebDAV client DLLs with specific arguments, signaling attempts to access named pipes via HTTP, indicative of NTLM relay attacks. - -### Possible investigation steps - -- Review the process execution details for rundll32.exe, focusing on the specific arguments related to davclnt.dll and DavSetCookie, to confirm the presence of suspicious WebDAV client activity. -- Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing "/print/pipe/", "/pipe/spoolss", or "/pipe/srvsvc". -- Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity. -- Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited. -- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. -- Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner. - -### False positive analysis - -- Legitimate administrative tasks using rundll32.exe with WebDAV client DLLs may trigger the rule. Review the context of the execution, such as the user account and the timing, to determine if it aligns with expected administrative activities. -- Automated software deployment or update processes might use similar rundll32.exe calls. Verify if the process is part of a scheduled or known deployment task and consider excluding these specific processes from the rule. -- Some third-party applications may use WebDAV for legitimate purposes, which could mimic the behavior detected by the rule. Identify these applications and create exceptions for their known processes to prevent false alerts. -- System maintenance scripts or tools that interact with network resources via HTTP might inadvertently match the rule's criteria. Ensure these scripts are documented and exclude them if they are verified as non-threatening. -- Regularly review and update the exclusion list to accommodate changes in legitimate software behavior, ensuring that only verified false positives are excluded to maintain the rule's effectiveness. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious rundll32.exe processes identified in the alert to stop ongoing malicious activity. -- Conduct a thorough review of the affected system's event logs and network traffic to identify any additional indicators of compromise or related malicious activity. -- Reset credentials for any accounts that may have been exposed or compromised during the attack to prevent unauthorized access. -- Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities. -- Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 9e589145262..47689c74966 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,38 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Multiple Vault Web Credentials Read" -references = [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 47 -rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by winlog.computer_name, winlog.process.pid with maxspan=1s - - /* 2 consecutive vault reads from same pid for web creds */ - - [any where event.code : "5382" and - (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7" and - not winlog.event_data.Resource : "http://localhost/"] - - [any where event.code : "5382" and - (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7" and - not winlog.event_data.Resource : "http://localhost/"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +51,38 @@ Windows Credential Manager stores credentials for web logins, apps, and networks - Implement network segmentation to limit access to critical systems and data, reducing the risk of lateral movement. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Enhance monitoring and logging on the affected system and similar endpoints to detect any future attempts at credential dumping or unauthorized access.""" +references = [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 47 +rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by winlog.computer_name, winlog.process.pid with maxspan=1s + + /* 2 consecutive vault reads from same pid for web creds */ + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] +''' [[rule.threat]] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index ae548489730..bcb205d1e7a 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,36 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" -references = [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 47 -rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and - process.args:"/list*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +60,36 @@ Windows Credential Manager stores credentials for websites, applications, and ne - Implement enhanced monitoring on the affected system and similar endpoints for any further attempts to use VaultCmd.exe or other credential dumping tools. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach. - Review and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future, leveraging threat intelligence and MITRE ATT&CK framework insights.""" +references = [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 47 +rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and + process.args:"/list*" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 61855c5b232..45b36774cf0 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index dfb617abe48..74c193f9529 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 6af1a73f956..a06b4dba884 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index b96e8bf2694..a1e9768b415 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index a92818305b6..04c1ee583fe 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,6 +12,41 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Lsass Process Access" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Lsass Process Access + +The Local Security Authority Subsystem Service (LSASS) is crucial for enforcing security policies and managing user logins in Windows environments. Adversaries often target LSASS to extract credentials, enabling unauthorized access. The detection rule identifies unusual access attempts to LSASS by filtering out legitimate processes and access patterns, focusing on anomalies that suggest credential dumping activities. + +### Possible investigation steps + +- Review the process details that triggered the alert, focusing on the process name and executable path to determine if it is a known legitimate application or potentially malicious. +- Examine the GrantedAccess value in the event data to understand the level of access attempted on the LSASS process and compare it against typical access patterns. +- Investigate the parent process of the suspicious process to identify how it was spawned and assess if it is part of a legitimate workflow or an anomaly. +- Check the CallTrace field for any unusual or suspicious DLLs that might indicate malicious activity or exploitation attempts. +- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns, such as network connections or file modifications. +- Verify the host's security posture, including the status of antivirus or endpoint protection solutions, to ensure they are functioning correctly and have not been tampered with. + +### False positive analysis + +- Legitimate security tools like Sysinternals Process Explorer and Process Monitor can trigger false positives. Exclude these by adding their process names to the exception list. +- Windows Defender and other antivirus software may access LSASS for legitimate scanning purposes. Exclude their executable paths from the detection rule to prevent false alerts. +- System processes such as csrss.exe, lsm.exe, and wmiprvse.exe are known to access LSASS as part of normal operations. Ensure these are included in the process executable exceptions to avoid unnecessary alerts. +- Software updates and installers, like those from Cisco AnyConnect or Oracle, may access LSASS during legitimate operations. Add these specific paths to the exclusion list to reduce false positives. +- Custom enterprise applications that interact with LSASS for authentication purposes should be identified and their paths added to the exceptions to prevent disruption in monitoring. + +### Response and remediation + +- Isolate the affected system from the network immediately to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert that are attempting to access the LSASS process, ensuring that legitimate processes are not disrupted. +- Conduct a memory dump analysis of the affected system to identify any malicious tools or scripts used for credential dumping, focusing on the LSASS process. +- Change all potentially compromised credentials, especially those with administrative privileges, to prevent unauthorized access using stolen credentials. +- Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary. +- Monitor the network for any signs of further suspicious activity or attempts to access LSASS on other systems, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] risk_score = 47 rule_id = "128468bf-cab1-4637-99ea-fdf3780a4609" @@ -74,41 +107,6 @@ process where host.os.type == "windows" and event.code == "10" and ) and not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Lsass Process Access - -The Local Security Authority Subsystem Service (LSASS) is crucial for enforcing security policies and managing user logins in Windows environments. Adversaries often target LSASS to extract credentials, enabling unauthorized access. The detection rule identifies unusual access attempts to LSASS by filtering out legitimate processes and access patterns, focusing on anomalies that suggest credential dumping activities. - -### Possible investigation steps - -- Review the process details that triggered the alert, focusing on the process name and executable path to determine if it is a known legitimate application or potentially malicious. -- Examine the GrantedAccess value in the event data to understand the level of access attempted on the LSASS process and compare it against typical access patterns. -- Investigate the parent process of the suspicious process to identify how it was spawned and assess if it is part of a legitimate workflow or an anomaly. -- Check the CallTrace field for any unusual or suspicious DLLs that might indicate malicious activity or exploitation attempts. -- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns, such as network connections or file modifications. -- Verify the host's security posture, including the status of antivirus or endpoint protection solutions, to ensure they are functioning correctly and have not been tampered with. - -### False positive analysis - -- Legitimate security tools like Sysinternals Process Explorer and Process Monitor can trigger false positives. Exclude these by adding their process names to the exception list. -- Windows Defender and other antivirus software may access LSASS for legitimate scanning purposes. Exclude their executable paths from the detection rule to prevent false alerts. -- System processes such as csrss.exe, lsm.exe, and wmiprvse.exe are known to access LSASS as part of normal operations. Ensure these are included in the process executable exceptions to avoid unnecessary alerts. -- Software updates and installers, like those from Cisco AnyConnect or Oracle, may access LSASS during legitimate operations. Add these specific paths to the exclusion list to reduce false positives. -- Custom enterprise applications that interact with LSASS for authentication purposes should be identified and their paths added to the exceptions to prevent disruption in monitoring. - -### Response and remediation - -- Isolate the affected system from the network immediately to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert that are attempting to access the LSASS process, ensuring that legitimate processes are not disrupted. -- Conduct a memory dump analysis of the affected system to identify any malicious tools or scripts used for credential dumping, focusing on the LSASS process. -- Change all potentially compromised credentials, especially those with administrative privileges, to prevent unauthorized access using stolen credentials. -- Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary. -- Monitor the network for any signs of further suspicious activity or attempts to access LSASS on other systems, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 7de6d5c1369..53f21c1ebca 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via LSASS Memory Dump" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Credential Access via LSASS Memory Dump + +LSASS (Local Security Authority Subsystem Service) is crucial for managing Windows security policies and storing sensitive data like user credentials. Adversaries exploit this by using tools that leverage MiniDumpWriteDump from libraries like DBGHelp.dll to extract credentials. The detection rule identifies suspicious LSASS access by monitoring for these libraries in call traces, excluding legitimate crash handlers, thus flagging potential credential theft attempts. + +### Possible investigation steps + +- Review the process details associated with the alert, focusing on the process name, executable path, and parent process to determine if the process accessing LSASS is legitimate or suspicious. +- Examine the call trace details to confirm the presence of DBGHelp.dll or DBGCore.dll, which are indicative of potential credential dumping attempts. +- Check for any recent crash reports or legitimate use of WerFault.exe, WerFaultSecure.exe, or similar processes that might explain the LSASS access as a non-malicious event. +- Investigate the user account context under which the suspicious process is running to assess if it aligns with expected behavior or if it indicates potential compromise. +- Correlate the event with other security logs or alerts to identify any related suspicious activities, such as unauthorized access attempts or lateral movement within the network. +- Assess the risk and impact by determining if any sensitive credentials could have been exposed, and consider isolating the affected system to prevent further compromise. + +### False positive analysis + +- Legitimate crash handlers like WerFault.exe may access LSASS during system crashes. To prevent these from being flagged, ensure that the rule excludes processes such as WerFault.exe, WerFaultSecure.exe, and their SysWOW64 counterparts. +- Debugging tools used by developers or IT administrators might trigger this rule if they access LSASS for legitimate purposes. Consider creating exceptions for known and trusted debugging tools within your environment. +- Security software or endpoint protection solutions may perform similar actions as part of their normal operations. Verify with your security vendor and exclude these processes if they are confirmed to be benign. +- Automated system diagnostics or maintenance scripts that interact with LSASS for health checks could be misidentified. Review and whitelist these scripts if they are part of routine system management tasks. +- Ensure that any custom or third-party applications that require access to LSASS for legitimate reasons are documented and excluded from the rule to avoid unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further credential access or lateral movement by the adversary. +- Terminate any suspicious processes that are accessing the LSASS memory, especially those involving DBGHelp.dll or DBGCore.dll, to stop the credential dumping activity. +- Conduct a thorough review of the affected system's security logs to identify any unauthorized access or changes, focusing on event code "10" and call traces involving LSASS. +- Change passwords for all accounts that were active on the affected system, prioritizing high-privilege accounts, to mitigate the risk of compromised credentials being used. +- Restore the affected system from a known good backup to ensure that any malicious changes or tools are removed. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected. +- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on LSASS access and the use of MiniDumpWriteDump, to improve detection and response capabilities.""" references = [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access", @@ -59,41 +92,6 @@ process where host.os.type == "windows" and event.code == "10" and "?:\\Windows\\System32\\WerFaultSecure.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Credential Access via LSASS Memory Dump - -LSASS (Local Security Authority Subsystem Service) is crucial for managing Windows security policies and storing sensitive data like user credentials. Adversaries exploit this by using tools that leverage MiniDumpWriteDump from libraries like DBGHelp.dll to extract credentials. The detection rule identifies suspicious LSASS access by monitoring for these libraries in call traces, excluding legitimate crash handlers, thus flagging potential credential theft attempts. - -### Possible investigation steps - -- Review the process details associated with the alert, focusing on the process name, executable path, and parent process to determine if the process accessing LSASS is legitimate or suspicious. -- Examine the call trace details to confirm the presence of DBGHelp.dll or DBGCore.dll, which are indicative of potential credential dumping attempts. -- Check for any recent crash reports or legitimate use of WerFault.exe, WerFaultSecure.exe, or similar processes that might explain the LSASS access as a non-malicious event. -- Investigate the user account context under which the suspicious process is running to assess if it aligns with expected behavior or if it indicates potential compromise. -- Correlate the event with other security logs or alerts to identify any related suspicious activities, such as unauthorized access attempts or lateral movement within the network. -- Assess the risk and impact by determining if any sensitive credentials could have been exposed, and consider isolating the affected system to prevent further compromise. - -### False positive analysis - -- Legitimate crash handlers like WerFault.exe may access LSASS during system crashes. To prevent these from being flagged, ensure that the rule excludes processes such as WerFault.exe, WerFaultSecure.exe, and their SysWOW64 counterparts. -- Debugging tools used by developers or IT administrators might trigger this rule if they access LSASS for legitimate purposes. Consider creating exceptions for known and trusted debugging tools within your environment. -- Security software or endpoint protection solutions may perform similar actions as part of their normal operations. Verify with your security vendor and exclude these processes if they are confirmed to be benign. -- Automated system diagnostics or maintenance scripts that interact with LSASS for health checks could be misidentified. Review and whitelist these scripts if they are part of routine system management tasks. -- Ensure that any custom or third-party applications that require access to LSASS for legitimate reasons are documented and excluded from the rule to avoid unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further credential access or lateral movement by the adversary. -- Terminate any suspicious processes that are accessing the LSASS memory, especially those involving DBGHelp.dll or DBGCore.dll, to stop the credential dumping activity. -- Conduct a thorough review of the affected system's security logs to identify any unauthorized access or changes, focusing on event code "10" and call traces involving LSASS. -- Change passwords for all accounts that were active on the affected system, prioritizing high-privilege accounts, to mitigate the risk of compromised credentials being used. -- Restore the affected system from a known good backup to ensure that any malicious changes or tools are removed. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected. -- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on LSASS access and the use of MiniDumpWriteDump, to improve detection and response capabilities.""" [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index bec754ac901..8c74fbd862d 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,36 +16,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "kuery" license = "Elastic License v2" name = "Potential LSASS Memory Dump via PssCaptureSnapShot" -references = [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en", -] -risk_score = 73 -rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" -setup = """## Setup - -This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold -rule cardinality feature. -""" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Resources: Investigation Guide", - "vigilant.disabled" -] -timestamp_override = "event.ingested" -type = "threshold" - -query = ''' -event.category:process and host.os.type:windows and event.code:10 and - winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or - "c:\\Windows\\system32\\lsass.exe" or - "c:\\Windows\\System32\\lsass.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +50,36 @@ PssCaptureSnapShot is a Windows feature used for capturing process snapshots, ai - Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Enhance monitoring and detection capabilities by ensuring that similar suspicious activities are logged and alerted on, using the specific query fields and threat indicators identified in this alert.""" +references = [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en", +] +risk_score = 73 +rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" +setup = """## Setup + +This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold +rule cardinality feature. +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Resources: Investigation Guide", + "vigilant.disabled" +] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.category:process and host.os.type:windows and event.code:10 and + winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\System32\\lsass.exe") +''' [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 0dea3f19e28..e0616fc1f5b 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 66828323bf6..a019bfa0a69 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index cc760955744..26d95dd353c 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,36 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Veeam Credential Access Command" -references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] -risk_score = 47 -rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ( - (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or - process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery") - ) and - process.args : "*[VeeamBackup].[dbo].[Credentials]*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +60,36 @@ Veeam credentials stored in MSSQL databases are crucial for managing backup oper - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring on systems storing Veeam credentials to detect similar suspicious activities in the future. - Review and update access controls and permissions for MSSQL databases to ensure only authorized personnel have access to Veeam credentials.""" +references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] +risk_score = 47 +rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ( + (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or + process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery") + ) and + process.args : "*[VeeamBackup].[dbo].[Credentials]*" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 059bebb2bc3..5a03229b128 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/27" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,31 +15,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential LSASS Clone Creation via PssCaptureSnapShot" -references = [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2", -] -risk_score = 73 -rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", - "vigilant.disabled" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.code:"4688" and - process.executable : "?:\\Windows\\System32\\lsass.exe" and - process.parent.executable : "?:\\Windows\\System32\\lsass.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +50,31 @@ PssCaptureSnapShot is a Windows API used for creating snapshots of processes, of - Review and enhance endpoint security configurations to ensure that LSASS process memory is protected from unauthorized access, such as enabling Credential Guard if applicable. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Implement additional monitoring and alerting for similar suspicious activities, focusing on process creation events involving LSASS, to improve early detection of future attempts.""" +references = [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2", +] +risk_score = 73 +rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", + "vigilant.disabled" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.code:"4688" and + process.executable : "?:\\Windows\\System32\\lsass.exe" and + process.parent.executable : "?:\\Windows\\System32\\lsass.exe" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index 29b5cd8b8eb..d8e4b5920ef 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,34 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "NTDS Dump via Wbadmin" -references = [ - "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960" -] -risk_score = 47 -rule_id = "d93e61db-82d6-4095-99aa-714988118064" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and - process.args : "recovery" and process.command_line : "*ntds.dit*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +59,32 @@ Wbadmin is a Windows utility for backup and recovery, often used by administrato - Restore the NTDS.dit file from a known good backup if any unauthorized modifications are detected. - Implement enhanced monitoring and logging for wbadmin.exe usage across all domain controllers to detect future unauthorized access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = ["https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"] +risk_score = 47 +rule_id = "d93e61db-82d6-4095-99aa-714988118064" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and + process.args : "recovery" and process.command_line : "*ntds.dit*" +''' [[rule.threat]] @@ -113,8 +109,6 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 6a4271c9d57..fb71341678b 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 6043131dcdd..d2011685a55 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 726fe74345d..33b194d55cc 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Antimalware Scan Interface DLL" @@ -105,7 +110,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint" + "Data Source: Microsoft Defender for Endpoint", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 20ebea80ee4..5d0971d1b06 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 0edc49a16fd..e7e6c4f40d4 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies modifications of the AmsiEnable registry key to 0, which disables the adversary can modify this key to disable AMSI protections. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Modification of AmsiEnable Registry Key" diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml index 68b2dd7f367..b3493761554 100644 --- a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +++ b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2025/01/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,11 +11,7 @@ Identifies attempts to disable auditing for some security sensitive audit policy attackers in an attempt to evade detection and forensics on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-system.security*" -] +index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Sensitive Audit Policy Sub-Category Disabled" @@ -132,3 +126,4 @@ reference = "https://attack.mitre.org/techniques/T1562/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 62cef1d7a1d..79cee43c602 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 3dfe685d34f..35eb79556b9 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index c9f9d5418db..6536cdf6cd8 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 4251115b3ca..2ff0537afa5 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index aeeb61a20f9..97a6da20a02 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -32,7 +30,14 @@ program, and grants the user with the ability to check whether the program has b execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Code Signing Policy Modification Through Registry" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 55093bd4d34..0f14afcfeb8 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,14 @@ certificate would allow an attacker the ability to masquerade malicious files as """ false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Root Certificate" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 5932a2f12f6..9aca76029ae 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,24 +15,6 @@ index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" -risk_score = 21 -rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows -''' note = """## Triage and analysis > **Disclaimer**: @@ -69,6 +49,24 @@ The Windows CryptoAPI is crucial for validating ECC certificates, ensuring secur - Review and update endpoint protection configurations to ensure they are set to detect and block similar spoofing attempts. - Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems may be affected. - Implement enhanced monitoring for signs of defense evasion tactics, focusing on event logs and messages related to certificate validation processes.""" +risk_score = 21 +rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 44c1512773a..6194cfb8572 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies modifications to the Windows Defender registry settings to disable th started manually. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 48eb71e0524..6f3582fccc9 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -78,7 +76,7 @@ references = [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", "https://www.elastic.co/security-labs/operation-bleeding-bear", - "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", ] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index e80066eafb4..aa73090543a 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index ab4dd964e69..850dcaa008f 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,39 +14,16 @@ enable persistence methods that require access to the Windows sign-in screen wit Accessibility Features persistence methods, like Sticky Keys. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network-Level Authentication (NLA) Disabled" -references = [ - "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", -] -risk_score = 21 -rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and - registry.path : ( - "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" - ) and registry.data.strings : ("0", "0x00000000") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +57,35 @@ Network-Level Authentication (NLA) enhances security for Remote Desktop Protocol - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities. - Review and update endpoint security policies to ensure that registry changes related to NLA are monitored and alerts are generated for any unauthorized modifications.""" +references = [ + "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", +] +risk_score = 21 +rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and + registry.path : ( + "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" + ) and registry.data.strings : ("0", "0x00000000") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 67929fe2adc..928b4cd42ad 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies attempts to disable PowerShell Script Block Logging via registry modi logging to conceal their activities in the host and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "PowerShell Script Block Logging Disabled" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index e25d77c4ef8..7787f500162 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index c58c50f40fb..01560dd1aeb 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -64,8 +62,8 @@ This rule monitors the execution of commands that can tamper the Windows Defende """ references = [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", - "https://www.elastic.co/security-labs/operation-bleeding-bear", - "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", ] risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 6d36c13358e..73fa5e6be83 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 6f4320c1a28..3217e36370a 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Austin Songer"] @@ -14,41 +12,17 @@ data. With this enabled, an organization will lose visibility into data such as IP, which are used to determine bad actors. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "DNS-over-HTTPS Enabled via Registry" -references = [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", -] -risk_score = 21 -rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and - registry.data.strings : ("1", "0x00000001")) or - (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and - registry.data.strings : "secure") or - (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and - registry.data.strings : ("1", "0x00000001")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +56,37 @@ DNS-over-HTTPS (DoH) encrypts DNS queries to enhance privacy and security, preve - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring for registry changes related to DNS settings across the organization to detect similar threats in the future. - Review and update security policies to ensure that DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse.""" +references = [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", +] +risk_score = 21 +rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and + registry.data.strings : "secure") or + (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and + registry.data.strings : ("1", "0x00000001")) +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 7f932ca3d40..e6b5d148708 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,32 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" -risk_score = 47 -rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("csc.exe", "vbc.exe") and - process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +60,32 @@ note = """## Triage and analysis - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. - Implement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +risk_score = 47 +rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : ("csc.exe", "vbc.exe") and + process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 56d52cc816f..e9ad302d9ee 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index cc21a55c697..3518f6d741a 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 24dc8f1e23c..f5b76cd15e6 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Control Panel Process with Unusual Arguments + +The Control Panel in Windows is a system utility that allows users to view and adjust system settings. Adversaries may exploit this by using control.exe to execute malicious code under the guise of legitimate processes. The detection rule identifies anomalies in command-line arguments, such as unexpected file types or suspicious paths, which may indicate an attempt to evade defenses or execute unauthorized actions. + +### Possible investigation steps + +- Review the command line arguments of the control.exe process to identify any unusual file types or suspicious paths, such as image file extensions or paths like */AppData/Local/*. +- Check the parent process of control.exe to determine if it was spawned by a legitimate application or a potentially malicious one. +- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears suspicious. +- Examine recent file modifications or creations in directories like \\AppData\\Local\\ or \\Users\\Public\\ to identify any unauthorized or unexpected changes. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the potential threat. +- Assess the network activity of the host during the time of the alert to identify any unusual outbound connections that may indicate data exfiltration or command and control communication. + +### False positive analysis + +- Image file paths in command-line arguments may trigger false positives if users or applications are legitimately accessing image files through control.exe. To mitigate this, create exceptions for known applications or user activities that frequently access image files. +- Paths involving AppData or Users\\Public directories might be flagged if legitimate software installations or updates use these locations. Review and whitelist specific software processes that are known to use these directories for legitimate purposes. +- Relative path traversal patterns like ../../.. could be used by legitimate scripts or applications for configuration purposes. Identify and exclude these scripts or applications from the detection rule if they are verified as non-malicious. +- Frequent use of control.exe with specific command-line arguments by system administrators or IT personnel for legitimate system management tasks can be excluded by creating user-based exceptions for these roles. +- If certain security tools or monitoring software are known to trigger this rule due to their operational behavior, consider excluding these tools after confirming their legitimacy and necessity. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate the suspicious control.exe process to stop any ongoing malicious execution. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. +- Review and clean up any unauthorized changes or files in the directories specified in the alert, such as AppData/Local or Users/Public, to ensure no persistence mechanisms remain. +- Restore any affected files or system settings from a known good backup to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. +- Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat.""" references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" @@ -63,41 +96,6 @@ process where host.os.type == "windows" and event.type == "start" and "*\\AppData\\Local\\*" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Control Panel Process with Unusual Arguments - -The Control Panel in Windows is a system utility that allows users to view and adjust system settings. Adversaries may exploit this by using control.exe to execute malicious code under the guise of legitimate processes. The detection rule identifies anomalies in command-line arguments, such as unexpected file types or suspicious paths, which may indicate an attempt to evade defenses or execute unauthorized actions. - -### Possible investigation steps - -- Review the command line arguments of the control.exe process to identify any unusual file types or suspicious paths, such as image file extensions or paths like */AppData/Local/*. -- Check the parent process of control.exe to determine if it was spawned by a legitimate application or a potentially malicious one. -- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears suspicious. -- Examine recent file modifications or creations in directories like \\AppData\\Local\\ or \\Users\\Public\\ to identify any unauthorized or unexpected changes. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the potential threat. -- Assess the network activity of the host during the time of the alert to identify any unusual outbound connections that may indicate data exfiltration or command and control communication. - -### False positive analysis - -- Image file paths in command-line arguments may trigger false positives if users or applications are legitimately accessing image files through control.exe. To mitigate this, create exceptions for known applications or user activities that frequently access image files. -- Paths involving AppData or Users\\Public directories might be flagged if legitimate software installations or updates use these locations. Review and whitelist specific software processes that are known to use these directories for legitimate purposes. -- Relative path traversal patterns like ../../.. could be used by legitimate scripts or applications for configuration purposes. Identify and exclude these scripts or applications from the detection rule if they are verified as non-malicious. -- Frequent use of control.exe with specific command-line arguments by system administrators or IT personnel for legitimate system management tasks can be excluded by creating user-based exceptions for these roles. -- If certain security tools or monitoring software are known to trigger this rule due to their operational behavior, consider excluding these tools after confirming their legitimacy and necessity. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate the suspicious control.exe process to stop any ongoing malicious execution. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. -- Review and clean up any unauthorized changes or files in the directories specified in the alert, such as AppData/Local or Users/Public, to ensure no persistence mechanisms remain. -- Restore any affected files or system settings from a known good backup to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. -- Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 56c9510a93e..2cc57b1fcb1 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index c6ef3c6158d..93810f62173 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index c4dd1fecba9..72634c8b5b7 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,28 +16,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" -risk_score = 21 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -host.os.type:windows and event.category:process and event.type:start and ( - process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and - process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or - "wscript.exe" or "mshta.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,6 +51,28 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild and script interpreter activities across the network to detect and respond to similar threats in the future.""" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:windows and event.category:process and event.type:start and ( + process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and + process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or + "wscript.exe" or "mshta.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index b235d0cccd2..c2e91fd6574 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,32 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" -risk_score = 47 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : "MSBuild.exe" and - process.parent.name : ("explorer.exe", "wmiprvse.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +61,32 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Restore the system from a known good backup if any critical system files or applications have been altered or corrupted. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.""" +risk_score = 47 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "MSBuild.exe" and + process.parent.name : ("explorer.exe", "wmiprvse.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 0dbd8efef6f..94f4383533d 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,13 @@ indicate an attempt to run unnoticed or undetected. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Using an Alternate Name" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index bd07774ed21..1ca07de5e9d 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -29,28 +27,6 @@ index = [ language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" -references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] -risk_score = 21 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and -process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +62,28 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, of - Escalate the incident to the security operations team for further analysis and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and logging for MSBuild and related processes to detect any future misuse or anomalies promptly. - Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, ensuring that security controls are effectively blocking unauthorized script execution.""" +references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and +process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index a9ec649e457..31fdbc3bbe5 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/12" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,51 @@ starting after being renamed or from a non-standard path. This is uncommon behav defenses via side loading a malicious DLL within the memory space of one of those processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Potential DLL Side-Loading via Trusted Microsoft Programs" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential DLL Side-Loading via Trusted Microsoft Programs + +DLL side-loading exploits the DLL search order to load malicious code into trusted Microsoft programs, which are often whitelisted by security tools. Adversaries rename or relocate these programs to execute unauthorized DLLs, evading detection. The detection rule identifies unusual execution paths or renamed instances of these programs, signaling potential misuse and enabling timely threat response. + +### Possible investigation steps + +- Review the process details to confirm the original file name and the path from which the process was executed. Check if the process.pe.original_file_name matches any of the specified trusted programs like "WinWord.exe", "EXPLORER.EXE", "w3wp.exe", or "DISM.EXE". +- Investigate the process execution path to determine if it deviates from the standard paths listed in the query, such as "?:\\Windows\\explorer.exe" or "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE". +- Examine the process creation history and parent process to identify any unusual or suspicious parent-child relationships that might indicate malicious activity. +- Check for any recent file modifications or creations in the directory from which the process was executed, which could suggest the presence of a malicious DLL. +- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify potential patterns of malicious behavior. +- Assess the risk and impact of the event by considering the risk score and severity level provided, and determine if immediate containment or further investigation is necessary. + +### False positive analysis + +- Legitimate software updates or installations may temporarily execute trusted Microsoft programs from non-standard paths. Users can create exceptions for known update processes to prevent false alerts. +- Custom enterprise applications might use renamed instances of trusted Microsoft programs for legitimate purposes. Identify and whitelist these specific applications to avoid unnecessary alerts. +- Virtual environments or sandboxed applications may execute trusted programs from unusual paths as part of their normal operation. Review and exclude these environments if they are known and trusted. +- Security or IT administrative tools might mimic trusted Microsoft programs for monitoring or management tasks. Verify these tools and add them to an exception list if they are part of standard operations. +- Development or testing environments often involve renamed or relocated executables for debugging purposes. Ensure these environments are recognized and excluded from the detection rule to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and unauthorized access. +- Terminate the suspicious process identified by the detection rule to stop any ongoing malicious activity. +- Conduct a forensic analysis of the affected system to identify any malicious DLLs or additional compromised files, and remove them. +- Restore the affected system from a known good backup to ensure all malicious changes are reverted. +- Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading. +- Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected.""" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" setup = """## Setup @@ -57,41 +96,6 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\System32\\inetsrv\\w3wp.exe", "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential DLL Side-Loading via Trusted Microsoft Programs - -DLL side-loading exploits the DLL search order to load malicious code into trusted Microsoft programs, which are often whitelisted by security tools. Adversaries rename or relocate these programs to execute unauthorized DLLs, evading detection. The detection rule identifies unusual execution paths or renamed instances of these programs, signaling potential misuse and enabling timely threat response. - -### Possible investigation steps - -- Review the process details to confirm the original file name and the path from which the process was executed. Check if the process.pe.original_file_name matches any of the specified trusted programs like "WinWord.exe", "EXPLORER.EXE", "w3wp.exe", or "DISM.EXE". -- Investigate the process execution path to determine if it deviates from the standard paths listed in the query, such as "?:\\Windows\\explorer.exe" or "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE". -- Examine the process creation history and parent process to identify any unusual or suspicious parent-child relationships that might indicate malicious activity. -- Check for any recent file modifications or creations in the directory from which the process was executed, which could suggest the presence of a malicious DLL. -- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify potential patterns of malicious behavior. -- Assess the risk and impact of the event by considering the risk score and severity level provided, and determine if immediate containment or further investigation is necessary. - -### False positive analysis - -- Legitimate software updates or installations may temporarily execute trusted Microsoft programs from non-standard paths. Users can create exceptions for known update processes to prevent false alerts. -- Custom enterprise applications might use renamed instances of trusted Microsoft programs for legitimate purposes. Identify and whitelist these specific applications to avoid unnecessary alerts. -- Virtual environments or sandboxed applications may execute trusted programs from unusual paths as part of their normal operation. Review and exclude these environments if they are known and trusted. -- Security or IT administrative tools might mimic trusted Microsoft programs for monitoring or management tasks. Verify these tools and add them to an exception list if they are part of standard operations. -- Development or testing environments often involve renamed or relocated executables for debugging purposes. Ensure these environments are recognized and excluded from the detection rule to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and unauthorized access. -- Terminate the suspicious process identified by the detection rule to stop any ongoing malicious activity. -- Conduct a forensic analysis of the affected system to identify any malicious DLLs or additional compromised files, and remove them. -- Restore the affected system from a known good backup to ensure all malicious changes are reverted. -- Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading. -- Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index f47b122f137..4b4e6f4e9b8 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Dennis Perto"] @@ -15,10 +13,49 @@ side-loading a malicious DLL within the memory space of one of those processes. """ false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable + +The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats. + +### Possible investigation steps + +- Review the process details to confirm if the process name is MsMpEng.exe but is executing from a non-standard path. Check the process.executable field to identify the exact path and verify if it deviates from the expected directories. +- Investigate the parent process of the suspicious MsMpEng.exe instance to determine how it was initiated. This can provide insights into whether the process was started by a legitimate application or a potentially malicious one. +- Examine the system for any recent file modifications or creations in the directory where the suspicious MsMpEng.exe is located. This can help identify if a malicious DLL was recently placed in the same directory. +- Check for any network connections or communications initiated by the suspicious MsMpEng.exe process. This can help determine if the process is attempting to communicate with external servers, which may indicate malicious activity. +- Look for any other processes or activities on the host that may indicate compromise, such as unusual user account activity or other processes running from unexpected locations. This can help assess the broader impact of the potential threat. + +### False positive analysis + +- Legitimate software updates or installations may temporarily rename or relocate the Microsoft Antimalware Service Executable. Users should verify if any software updates or installations occurred around the time of the alert and consider excluding these paths if they are known and trusted. +- Custom security or IT management tools might execute the executable from non-standard paths for monitoring or testing purposes. Confirm with IT or security teams if such tools are in use and add these paths to the exclusion list if they are verified as safe. +- Virtualization or sandbox environments may replicate the executable in different locations for testing or analysis. Check if the environment is part of a controlled setup and exclude these paths if they are part of legitimate operations. +- Backup or recovery processes might involve copying the executable to alternate locations. Ensure these processes are legitimate and consider excluding these paths if they are part of routine operations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread of the potential threat. +- Terminate any suspicious processes identified by the detection rule, specifically those involving MsMpEng.exe running from non-standard paths. +- Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any malicious DLLs or other malware. +- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. +- Investigate the source of the DLL side-loading attempt to determine if it was part of a broader attack campaign, and gather forensic evidence for further analysis. +- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to assess the need for further containment measures. +- Implement additional monitoring and alerting for similar anomalies in process execution paths to enhance detection capabilities and prevent recurrence.""" references = [ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/", ] @@ -60,39 +97,6 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable - -The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats. - -### Possible investigation steps - -- Review the process details to confirm if the process name is MsMpEng.exe but is executing from a non-standard path. Check the process.executable field to identify the exact path and verify if it deviates from the expected directories. -- Investigate the parent process of the suspicious MsMpEng.exe instance to determine how it was initiated. This can provide insights into whether the process was started by a legitimate application or a potentially malicious one. -- Examine the system for any recent file modifications or creations in the directory where the suspicious MsMpEng.exe is located. This can help identify if a malicious DLL was recently placed in the same directory. -- Check for any network connections or communications initiated by the suspicious MsMpEng.exe process. This can help determine if the process is attempting to communicate with external servers, which may indicate malicious activity. -- Look for any other processes or activities on the host that may indicate compromise, such as unusual user account activity or other processes running from unexpected locations. This can help assess the broader impact of the potential threat. - -### False positive analysis - -- Legitimate software updates or installations may temporarily rename or relocate the Microsoft Antimalware Service Executable. Users should verify if any software updates or installations occurred around the time of the alert and consider excluding these paths if they are known and trusted. -- Custom security or IT management tools might execute the executable from non-standard paths for monitoring or testing purposes. Confirm with IT or security teams if such tools are in use and add these paths to the exclusion list if they are verified as safe. -- Virtualization or sandbox environments may replicate the executable in different locations for testing or analysis. Check if the environment is part of a controlled setup and exclude these paths if they are part of legitimate operations. -- Backup or recovery processes might involve copying the executable to alternate locations. Ensure these processes are legitimate and consider excluding these paths if they are part of routine operations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread of the potential threat. -- Terminate any suspicious processes identified by the detection rule, specifically those involving MsMpEng.exe running from non-standard paths. -- Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any malicious DLLs or other malware. -- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. -- Investigate the source of the DLL side-loading attempt to determine if it was part of a broader attack campaign, and gather forensic evidence for further analysis. -- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to assess the need for further containment measures. -- Implement additional monitoring and alerting for similar anomalies in process execution paths to enhance detection capabilities and prevent recurrence.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index aafffc95638..f9a26ca9dda 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,34 +12,17 @@ when the name or location of a file is manipulated as a means of tricking a user benign file type but is actually executable code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" -risk_score = 47 -rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and - file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and - not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and - file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +57,30 @@ In Windows environments, adversaries may exploit file extensions to disguise mal - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities for future incidents.""" +risk_score = 47 +rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and + file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and + not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and + file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 2ee0007f97b..f75dd62ad5e 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -108,8 +106,8 @@ This rule identifies processes that are executed from suspicious default Windows - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ -"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", -"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 5e37948e8b9..edecd6a9b9e 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,22 +11,17 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "winlogbeat-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "winlogbeat-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" -risk_score = 47 -rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and -/* update here with encoding combinations */ - registry.data.strings : "TVqQAAMAAAAEAAAA*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -63,6 +56,29 @@ Windows Registry is a hierarchical database storing low-level settings for the O - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning. - Monitor the system and network for any signs of re-infection or similar registry modifications, adjusting detection rules if necessary to enhance future threat identification. - Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further analysis and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and +/* update here with encoding combinations */ + registry.data.strings : "TVqQAAMAAAAEAAAA*" +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 0dc79543403..60048de8eac 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_indirect_exec_forfiles.toml b/rules/windows/defense_evasion_indirect_exec_forfiles.toml index e458499fd12..81da810b4bd 100644 --- a/rules/windows/defense_evasion_indirect_exec_forfiles.toml +++ b/rules/windows/defense_evasion_indirect_exec_forfiles.toml @@ -2,15 +2,13 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy execution via -a trusted parent process. +Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy +execution via a trusted parent process. """ from = "now-9m" index = [ diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 214f3fe79d0..742f00543cf 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,27 +15,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Process Injection by the Microsoft Build Engine" -risk_score = 21 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and - event.provider == "Microsoft-Windows-Sysmon" and - /* CreateRemoteThread */ - event.code == "8" and process.name: "MSBuild.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -74,6 +51,27 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, of - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the intrusion. - Implement application whitelisting to prevent unauthorized execution of MSBuild.exe or similar tools in non-development environments. - Enhance monitoring and detection capabilities by ensuring Sysmon is configured to log detailed process creation and thread injection events across the network.""" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and + event.provider == "Microsoft-Windows-Sysmon" and + /* CreateRemoteThread */ + event.code == "8" and process.name: "MSBuild.exe" +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index d0f651bb220..68a0577f707 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,27 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" -risk_score = 47 -rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ - -sequence by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.name : "installutil.exe"] - [network where host.os.type == "windows" and process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +55,27 @@ InstallUtil.exe is a legitimate Windows utility used for installing and uninstal - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement network monitoring and alerting for unusual outbound connections from critical systems to enhance detection of similar threats in the future.""" +risk_score = 47 +rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ + +sequence by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and process.name : "installutil.exe"] + [network where host.os.type == "windows" and process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bf4b4be6a9d..7e7b3dddaec 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2024/07/24" -integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks -for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths. +An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule +looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths. """ from = "now-9m" index = [ @@ -25,38 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via Windows Command Debugging Utility" -references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"] -risk_score = 47 -rule_id = "bdfaddc4-4438-48b4-bc43-9f5cf8151c46" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and - process.args : ("-cf", "-c", "-pd") and - not process.executable : ( - "?:\\Program Files (x86)\\*\\cdb.exe", - "?:\\Program Files\\*\\cdb.exe", - "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe", - "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -91,6 +57,38 @@ The Windows command line debugging utility, cdb.exe, is a legitimate tool used f - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Implement application whitelisting to prevent unauthorized execution of cdb.exe from non-standard paths. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.""" +references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"] +risk_score = 47 +rule_id = "bdfaddc4-4438-48b4-bc43-9f5cf8151c46" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and + process.args : ("-cf", "-c", "-pd") and + not process.executable : ( + "?:\\Program Files (x86)\\*\\cdb.exe", + "?:\\Program Files\\*\\cdb.exe", + "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe", + "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe" + ) +''' [[rule.threat]] @@ -101,7 +99,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 08fd9150654..659a6260d43 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,6 +24,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Endpoint Security Parent Process + +Endpoint security solutions, like Elastic and Microsoft Defender, monitor and protect systems by analyzing process behaviors. Adversaries may exploit these processes through techniques like process hollowing, where malicious code is injected into legitimate processes to evade detection. The detection rule identifies anomalies by flagging unexpected parent processes of security executables, excluding known benign paths and arguments, thus highlighting potential threats. + +### Possible investigation steps + +- Review the process details for the flagged executable (e.g., esensor.exe or elastic-endpoint.exe) to understand its expected behavior and any recent changes in its configuration or deployment. +- Examine the parent process executable path and name to determine if it is a known legitimate process or potentially malicious. Pay special attention to paths not listed in the known benign paths, such as those outside "?:\\Program Files\\Elastic\\*" or "?:\\Windows\\System32\\*". +- Investigate the command-line arguments used by the parent process to identify any unusual or suspicious patterns that could indicate malicious activity, especially if they do not match the benign arguments like "test", "version", or "status". +- Check the historical activity of the parent process to see if it has been involved in other suspicious activities or if it has a history of spawning security-related processes. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and identify any related suspicious activities. +- Assess the risk and impact of the alert by considering the environment, the criticality of the affected systems, and any potential data exposure or operational disruption. + +### False positive analysis + +- Security tools or scripts that automate tasks may trigger false positives if they launch endpoint security processes with unexpected parent processes. To manage this, identify and document these tools, then add their parent executable paths to the exclusion list. +- System administrators or IT personnel may use command-line tools like PowerShell or cmd.exe for legitimate maintenance tasks. If these tasks frequently trigger alerts, consider adding specific command-line arguments used in these tasks to the exclusion list. +- Software updates or installations might temporarily cause unexpected parent processes for security executables. Monitor these activities and, if they are routine and verified, add the associated parent executable paths to the exclusion list. +- Custom scripts or third-party applications that interact with security processes can also lead to false positives. Review these scripts or applications, and if they are deemed safe, include their parent executable paths in the exclusion list. +- Regularly review and update the exclusion list to ensure it reflects the current environment and operational practices, minimizing the risk of overlooking new legitimate processes. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the suspicious process identified by the alert to stop any ongoing malicious activity and prevent further code execution. +- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized changes or additional malicious files. +- Restore the system from a known good backup if any malicious activity or unauthorized changes are confirmed, ensuring that the backup is clean and uncompromised. +- Update endpoint security solutions and apply any available patches to address vulnerabilities that may have been exploited by the adversary. +- Monitor the network and systems for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting based on the identified threat indicators. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" @@ -72,41 +105,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Endpoint Security Parent Process - -Endpoint security solutions, like Elastic and Microsoft Defender, monitor and protect systems by analyzing process behaviors. Adversaries may exploit these processes through techniques like process hollowing, where malicious code is injected into legitimate processes to evade detection. The detection rule identifies anomalies by flagging unexpected parent processes of security executables, excluding known benign paths and arguments, thus highlighting potential threats. - -### Possible investigation steps - -- Review the process details for the flagged executable (e.g., esensor.exe or elastic-endpoint.exe) to understand its expected behavior and any recent changes in its configuration or deployment. -- Examine the parent process executable path and name to determine if it is a known legitimate process or potentially malicious. Pay special attention to paths not listed in the known benign paths, such as those outside "?:\\Program Files\\Elastic\\*" or "?:\\Windows\\System32\\*". -- Investigate the command-line arguments used by the parent process to identify any unusual or suspicious patterns that could indicate malicious activity, especially if they do not match the benign arguments like "test", "version", or "status". -- Check the historical activity of the parent process to see if it has been involved in other suspicious activities or if it has a history of spawning security-related processes. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and identify any related suspicious activities. -- Assess the risk and impact of the alert by considering the environment, the criticality of the affected systems, and any potential data exposure or operational disruption. - -### False positive analysis - -- Security tools or scripts that automate tasks may trigger false positives if they launch endpoint security processes with unexpected parent processes. To manage this, identify and document these tools, then add their parent executable paths to the exclusion list. -- System administrators or IT personnel may use command-line tools like PowerShell or cmd.exe for legitimate maintenance tasks. If these tasks frequently trigger alerts, consider adding specific command-line arguments used in these tasks to the exclusion list. -- Software updates or installations might temporarily cause unexpected parent processes for security executables. Monitor these activities and, if they are routine and verified, add the associated parent executable paths to the exclusion list. -- Custom scripts or third-party applications that interact with security processes can also lead to false positives. Review these scripts or applications, and if they are deemed safe, include their parent executable paths in the exclusion list. -- Regularly review and update the exclusion list to ensure it reflects the current environment and operational practices, minimizing the risk of overlooking new legitimate processes. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate the suspicious process identified by the alert to stop any ongoing malicious activity and prevent further code execution. -- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized changes or additional malicious files. -- Restore the system from a known good backup if any malicious activity or unauthorized changes are confirmed, ensuring that the backup is clean and uncompromised. -- Update endpoint security solutions and apply any available patches to address vulnerabilities that may have been exploited by the adversary. -- Monitor the network and systems for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting based on the identified threat indicators. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 15635fea2d0..2a4129e8206 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies a suspicious AutoIt process execution. Malware written as an AutoIt s executable to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Renamed AutoIt Scripts Interpreter" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 30695cdb25f..f7808e814e3 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,11 +18,45 @@ index = [ "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" - ] + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious WerFault Child Process + +WerFault.exe is a Windows error reporting tool that handles application crashes. Adversaries may exploit it by manipulating the SilentProcessExit registry key to execute malicious processes stealthily. The detection rule identifies unusual child processes of WerFault.exe, focusing on specific command-line arguments indicative of this abuse, while excluding known legitimate executables, thus highlighting potential threats. + +### Possible investigation steps + +- Review the command line arguments of the suspicious child process to confirm the presence of "-s", "-t", and "-c" flags, which indicate potential abuse of the SilentProcessExit mechanism. +- Examine the process executable path to ensure it is not one of the known legitimate executables ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") that are excluded from the detection rule. +- Investigate the network connections established by the suspicious process to identify any unusual or unauthorized external communications. +- Analyze file writes and modifications made by the process to detect any unauthorized changes or potential indicators of compromise. +- Check the parent process tree to understand the context of how WerFault.exe was invoked and identify any preceding suspicious activities or processes. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat. + +### False positive analysis + +- Legitimate software updates or installations may trigger WerFault.exe with command-line arguments similar to those used in the SilentProcessExit mechanism. Users should verify the digital signature of the executable and check if it aligns with known update processes. +- Security software or system management tools might use WerFault.exe for legitimate purposes. Users can create exceptions for these known tools by adding their executables to the exclusion list in the detection rule. +- Custom scripts or enterprise applications that utilize WerFault.exe for error handling could be flagged. Review the process details and, if verified as non-threatening, add these scripts or applications to the exclusion list. +- Frequent occurrences of the same process being flagged can indicate a benign pattern. Users should monitor these patterns and, if consistently verified as safe, update the rule to exclude these specific processes. + +### Response and remediation + +- Isolate the affected system from the network to prevent further potential malicious activity and lateral movement. +- Terminate the suspicious child process of WerFault.exe immediately to halt any ongoing malicious actions. +- Conduct a thorough review of the SilentProcessExit registry key to identify and remove any unauthorized entries that may have been used to execute the malicious process. +- Restore any altered or deleted files from a known good backup to ensure system integrity and recover any lost data. +- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack. +- Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", @@ -61,40 +93,6 @@ process where host.os.type == "windows" and event.type == "start" and not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious WerFault Child Process - -WerFault.exe is a Windows error reporting tool that handles application crashes. Adversaries may exploit it by manipulating the SilentProcessExit registry key to execute malicious processes stealthily. The detection rule identifies unusual child processes of WerFault.exe, focusing on specific command-line arguments indicative of this abuse, while excluding known legitimate executables, thus highlighting potential threats. - -### Possible investigation steps - -- Review the command line arguments of the suspicious child process to confirm the presence of "-s", "-t", and "-c" flags, which indicate potential abuse of the SilentProcessExit mechanism. -- Examine the process executable path to ensure it is not one of the known legitimate executables ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") that are excluded from the detection rule. -- Investigate the network connections established by the suspicious process to identify any unusual or unauthorized external communications. -- Analyze file writes and modifications made by the process to detect any unauthorized changes or potential indicators of compromise. -- Check the parent process tree to understand the context of how WerFault.exe was invoked and identify any preceding suspicious activities or processes. -- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat. - -### False positive analysis - -- Legitimate software updates or installations may trigger WerFault.exe with command-line arguments similar to those used in the SilentProcessExit mechanism. Users should verify the digital signature of the executable and check if it aligns with known update processes. -- Security software or system management tools might use WerFault.exe for legitimate purposes. Users can create exceptions for these known tools by adding their executables to the exclusion list in the detection rule. -- Custom scripts or enterprise applications that utilize WerFault.exe for error handling could be flagged. Review the process details and, if verified as non-threatening, add these scripts or applications to the exclusion list. -- Frequent occurrences of the same process being flagged can indicate a benign pattern. Users should monitor these patterns and, if consistently verified as safe, update the rule to exclude these specific processes. - -### Response and remediation - -- Isolate the affected system from the network to prevent further potential malicious activity and lateral movement. -- Terminate the suspicious child process of WerFault.exe immediately to halt any ongoing malicious actions. -- Conduct a thorough review of the SilentProcessExit registry key to identify and remove any unauthorized entries that may have been used to execute the malicious process. -- Restore any altered or deleted files from a known good backup to ensure system integrity and recover any lost data. -- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack. -- Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] @@ -109,8 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,9 +124,6 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 663acbc611e..736a8830f0c 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,6 +26,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Program Files Directory Masquerading + +The Program Files directories in Windows are trusted locations for legitimate software. Adversaries may exploit this trust by creating similarly named directories to execute malicious files, bypassing security measures. The detection rule identifies suspicious executions from these masquerading paths, excluding known legitimate directories, to flag potential threats. This helps in identifying defense evasion tactics used by attackers. + +### Possible investigation steps + +- Review the process executable path to confirm if it matches any known masquerading patterns, such as unexpected directories containing "Program Files" in their path. +- Check the parent process of the suspicious executable to determine how it was launched and assess if the parent process is legitimate or potentially malicious. +- Investigate the user account associated with the process execution to determine if it has low privileges and if the activity aligns with typical user behavior. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged in threat intelligence databases. +- Assess the network activity associated with the process to identify any unusual outbound connections that could indicate data exfiltration or command-and-control communication. + +### False positive analysis + +- Legitimate software installations or updates may create temporary directories resembling Program Files paths. Users can monitor installation logs and exclude these specific paths if they are verified as part of a legitimate process. +- Some enterprise applications may use custom directories that mimic Program Files for compatibility reasons. IT administrators should document these paths and add them to the exclusion list to prevent false alerts. +- Development environments might create test directories with similar naming conventions. Developers should ensure these paths are excluded during active development phases to avoid unnecessary alerts. +- Security tools or scripts that perform regular checks or updates might execute from non-standard directories. Verify these tools and add their execution paths to the exception list if they are confirmed safe. +- Backup or recovery software might temporarily use directories that resemble Program Files for storing executable files. Confirm the legitimacy of these operations and exclude the paths if they are part of routine backup processes. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate any suspicious processes identified as executing from masquerading directories to halt any ongoing malicious actions. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. +- Review and restore any altered system configurations or settings to their original state to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or similar tactics. +- Update security policies and access controls to prevent unauthorized creation of directories that mimic trusted paths, enhancing defenses against similar masquerading attempts.""" risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" severity = "medium" @@ -76,41 +109,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Program Files Directory Masquerading - -The Program Files directories in Windows are trusted locations for legitimate software. Adversaries may exploit this trust by creating similarly named directories to execute malicious files, bypassing security measures. The detection rule identifies suspicious executions from these masquerading paths, excluding known legitimate directories, to flag potential threats. This helps in identifying defense evasion tactics used by attackers. - -### Possible investigation steps - -- Review the process executable path to confirm if it matches any known masquerading patterns, such as unexpected directories containing "Program Files" in their path. -- Check the parent process of the suspicious executable to determine how it was launched and assess if the parent process is legitimate or potentially malicious. -- Investigate the user account associated with the process execution to determine if it has low privileges and if the activity aligns with typical user behavior. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. -- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged in threat intelligence databases. -- Assess the network activity associated with the process to identify any unusual outbound connections that could indicate data exfiltration or command-and-control communication. - -### False positive analysis - -- Legitimate software installations or updates may create temporary directories resembling Program Files paths. Users can monitor installation logs and exclude these specific paths if they are verified as part of a legitimate process. -- Some enterprise applications may use custom directories that mimic Program Files for compatibility reasons. IT administrators should document these paths and add them to the exclusion list to prevent false alerts. -- Development environments might create test directories with similar naming conventions. Developers should ensure these paths are excluded during active development phases to avoid unnecessary alerts. -- Security tools or scripts that perform regular checks or updates might execute from non-standard directories. Verify these tools and add their execution paths to the exception list if they are confirmed safe. -- Backup or recovery software might temporarily use directories that resemble Program Files for storing executable files. Confirm the legitimacy of these operations and exclude the paths if they are part of routine backup processes. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate any suspicious processes identified as executing from masquerading directories to halt any ongoing malicious actions. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. -- Review and restore any altered system configurations or settings to their original state to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or similar tactics. -- Update security policies and access controls to prevent unauthorized creation of directories that mimic trusted paths, enhancing defenses against similar masquerading attempts.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index fde26ca2cff..e9adbf55958 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 8d7ee180716..ce6f85653aa 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/27" [rule] author = ["Austin Songer"] @@ -20,7 +18,7 @@ index = [ "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "endgame-*" + "endgame-*", ] language = "eql" license = "Elastic License v2" @@ -101,7 +99,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. ) and registry.data.strings : ("0", "0x00000000") ) or ( - registry.path : ( + registry.value : ( "DisableAntiSpyware", "DisableRealtimeMonitoring", "DisableIntrusionPreventionSystem", "DisableScriptScanning", "DisableIOAVProtection", "DisableEnhancedNotifications", "DisableBlockAtFirstSeen", "DisableBehaviorMonitoring" ) and registry.data.strings : ("1", "0x00000001") diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 4e470e8ba1a..aa1255cc925 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index f749a8499a2..ceeaf6ad579 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Macros. Adversaries may abuse these security settings to modify the default beha future macros and/or disable security warnings, which could increase their chances of establishing persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "MS Office Macro Security Registry Modifications" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index a3fb8499cb3..5f9e895759c 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 103bb66acf9..00570804570 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,32 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" -references = [ - "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", -] -risk_score = 47 -rule_id = "c2d90150-0133-451c-a783-533e736c12d7" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan=10m - [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and - not process.parent.name : "Microsoft.ConfigurationManagement.exe" and - not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or - process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and - not process.args : "ADSelfService_Enroll.hta"] - [network where host.os.type == "windows" and process.name : "mshta.exe"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +53,32 @@ Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Applica - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Implement application whitelisting to prevent unauthorized execution of mshta.exe and similar system binaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] +risk_score = 47 +rule_id = "c2d90150-0133-451c-a783-533e736c12d7" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=10m + [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and + not process.parent.name : "Microsoft.ConfigurationManagement.exe" and + not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or + process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and + not process.args : "ADSelfService_Enroll.hta"] + [network where host.os.type == "windows" and process.name : "mshta.exe"] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml index dde8076da1a..448e41579fb 100644 --- a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +++ b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,42 +11,15 @@ Identifies the execution of an MsiExec service child process followed by network abuse Windows Installers for initial access and delivery of malware. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "MsiExec Service Child Process With Network Connection" -risk_score = 47 -rule_id = "65432f4a-e716-4cc1-ab11-931c4966da2d" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan=1m - [process where host.os.type == "windows" and event.type : "start" and - process.parent.name : "msiexec.exe" and process.parent.args : "/v" and - not process.executable : - ("?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\sysWOW64\\msiexec.exe", - "?:\\Windows\\system32\\srtasks.exe", - "?:\\Windows\\syswow64\\srtasks.exe", - "?:\\Windows\\sys*\\taskkill.exe", - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\Installer\\MSI*.tmp", - "?:\\Windows\\Microsoft.NET\\Framework*\\RegSvcs.exe") and - not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))] -[any where host.os.type == "windows" and event.category in ("network", "dns") and process.name != null] -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +55,38 @@ MsiExec is a Windows utility for installing, maintaining, and removing software. - Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections.""" +risk_score = 47 +rule_id = "65432f4a-e716-4cc1-ab11-931c4966da2d" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.type : "start" and + process.parent.name : "msiexec.exe" and process.parent.args : "/v" and + not process.executable : + ("?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\sysWOW64\\msiexec.exe", + "?:\\Windows\\system32\\srtasks.exe", + "?:\\Windows\\syswow64\\srtasks.exe", + "?:\\Windows\\sys*\\taskkill.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\Installer\\MSI*.tmp", + "?:\\Windows\\Microsoft.NET\\Framework*\\RegSvcs.exe") and + not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))] +[any where host.os.type == "windows" and event.category in ("network", "dns") and process.name != null] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 4049b815df4..188993ffe75 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,31 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Network Connection via MsXsl" -references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] -risk_score = 21 -rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id - [process where host.os.type == "windows" and process.name : "msxsl.exe" and event.type == "start"] - [network where host.os.type == "windows" and process.name : "msxsl.exe" and - not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", - "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", - "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +54,31 @@ MsXsl.exe is a legitimate Windows utility used to transform XML data using XSLT - Restore the affected system from a known good backup if any critical system files or configurations have been altered. - Implement network segmentation to limit the ability of msxsl.exe or similar utilities to make unauthorized external connections in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been impacted.""" +references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] +risk_score = 21 +rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id + [process where host.os.type == "windows" and process.name : "msxsl.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "msxsl.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index a8a58c8dbbc..2fd614a2bc0 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 4e4bb4fb19e..bd0596ecb63 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,51 @@ default) and is set to 1, then remote connections from all local members of Admi high-integrity tokens during negotiation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Local Account TokenFilter Policy Disabled" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Local Account TokenFilter Policy Disabled + +The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled, allows remote connections from local administrators to use full high-integrity tokens. Adversaries may exploit this to bypass User Account Control (UAC) and gain elevated privileges remotely. The detection rule monitors changes to this registry setting, identifying potential unauthorized modifications that could indicate an attempt to facilitate lateral movement or evade defenses. + +### Possible investigation steps + +- Review the registry event logs to confirm the change to the LocalAccountTokenFilterPolicy setting, specifically looking for entries where the registry.value is "LocalAccountTokenFilterPolicy" and registry.data.strings is "1" or "0x00000001". +- Identify the user account and process responsible for the registry modification by examining the associated event logs for user and process information. +- Check for any recent remote connections to the affected system, focusing on connections initiated by local administrator accounts, to determine if the change was exploited for lateral movement. +- Investigate any other recent registry changes on the host to identify potential patterns of unauthorized modifications that could indicate broader malicious activity. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and assess the scope of the potential threat. +- Assess the system for signs of compromise or malicious activity, such as unusual processes, network connections, or file modifications, that may have occurred around the time of the registry change. + +### False positive analysis + +- Administrative tools or scripts that modify the LocalAccountTokenFilterPolicy for legitimate configuration purposes may trigger alerts. To manage this, identify and document these tools, then create exceptions for their known registry changes. +- System updates or patches that adjust registry settings as part of their installation process can cause false positives. Monitor update schedules and correlate alerts with these activities to determine if they are benign. +- Security software or management solutions that enforce policy changes across endpoints might modify this registry setting. Verify these actions with your IT or security team and consider excluding these processes from triggering alerts. +- Custom scripts or automation tasks used for system hardening or configuration management may alter this setting. Review these scripts and whitelist their expected changes to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Revert the registry setting for LocalAccountTokenFilterPolicy to its default state if it was modified without authorization. +- Conduct a thorough review of recent administrative activities and access logs on the affected system to identify any unauthorized access or changes. +- Reset passwords for all local administrator accounts on the affected system to prevent potential misuse of compromised credentials. +- Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign. +- Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats.""" references = [ "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", @@ -53,40 +92,6 @@ registry where host.os.type == "windows" and event.type == "change" and "MACHINE\\*\\LocalAccountTokenFilterPolicy" ) and registry.data.strings : ("1", "0x00000001") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Local Account TokenFilter Policy Disabled - -The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled, allows remote connections from local administrators to use full high-integrity tokens. Adversaries may exploit this to bypass User Account Control (UAC) and gain elevated privileges remotely. The detection rule monitors changes to this registry setting, identifying potential unauthorized modifications that could indicate an attempt to facilitate lateral movement or evade defenses. - -### Possible investigation steps - -- Review the registry event logs to confirm the change to the LocalAccountTokenFilterPolicy setting, specifically looking for entries where the registry.value is "LocalAccountTokenFilterPolicy" and registry.data.strings is "1" or "0x00000001". -- Identify the user account and process responsible for the registry modification by examining the associated event logs for user and process information. -- Check for any recent remote connections to the affected system, focusing on connections initiated by local administrator accounts, to determine if the change was exploited for lateral movement. -- Investigate any other recent registry changes on the host to identify potential patterns of unauthorized modifications that could indicate broader malicious activity. -- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and assess the scope of the potential threat. -- Assess the system for signs of compromise or malicious activity, such as unusual processes, network connections, or file modifications, that may have occurred around the time of the registry change. - -### False positive analysis - -- Administrative tools or scripts that modify the LocalAccountTokenFilterPolicy for legitimate configuration purposes may trigger alerts. To manage this, identify and document these tools, then create exceptions for their known registry changes. -- System updates or patches that adjust registry settings as part of their installation process can cause false positives. Monitor update schedules and correlate alerts with these activities to determine if they are benign. -- Security software or management solutions that enforce policy changes across endpoints might modify this registry setting. Verify these actions with your IT or security team and consider excluding these processes from triggering alerts. -- Custom scripts or automation tasks used for system hardening or configuration management may alter this setting. Review these scripts and whitelist their expected changes to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Revert the registry setting for LocalAccountTokenFilterPolicy to its default state if it was modified without authorization. -- Conduct a thorough review of recent administrative activities and access logs on the affected system to identify any unauthorized access or changes. -- Reset passwords for all local administrator accounts on the affected system to prevent potential misuse of compromised credentials. -- Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign. -- Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats.""" [[rule.threat]] @@ -106,8 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index eed53ccaefe..69108cc318b 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -124,7 +122,15 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -133,8 +139,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "[System.Reflection.Assembly]::Load" or "[Reflection.Assembly]::Load" or - "Assembly.Load(" or - "System.Reflection" + "Assembly.Load(" ) and not powershell.file.script_block_text : ( ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and @@ -153,21 +158,19 @@ event.category:process and host.os.type:windows and not user.id : "S-1-5-18" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1" - +case_insensitive = true +value = """ +C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary +Files*\\AvailabilityGroupMonitoring.ps1 +""" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1620" -name = "Reflective Code Loading" -reference = "https://attack.mitre.org/techniques/T1620/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" @@ -183,6 +186,11 @@ name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 8f267c3002a..f18e497a33b 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -124,7 +122,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -142,13 +147,14 @@ event.category:process and host.os.type:windows and not user.id : "S-1-5-18" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 6a1bc05123b..dd131d44204 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index cb7a98c5ba9..2cdc2a47e41 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2025/01/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell Obfuscated Script" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential PowerShell Obfuscated Script + +PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its flexibility to obfuscate scripts, evading security measures like AMSI. The detection rule identifies obfuscation patterns, such as string manipulation and encoding techniques, to flag potentially malicious scripts, aiding in defense evasion detection. + +### Possible investigation steps + +- Review the PowerShell script block text captured in the alert to identify any suspicious patterns or obfuscation techniques, such as string manipulation or encoding methods like "[string]::join" or "-Join". +- Check the process execution details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed. +- Investigate the source and destination of the script execution by examining the host and user details to determine if the activity aligns with expected behavior or if it originates from an unusual or unauthorized source. +- Analyze any network connections or file modifications associated with the PowerShell process to identify potential data exfiltration or lateral movement activities. +- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify any related suspicious activities. +- Assess the risk and impact of the detected activity by considering the severity and risk score provided in the alert, and determine if immediate remediation actions are necessary. + +### False positive analysis + +- Legitimate administrative scripts may use string manipulation and encoding techniques for benign purposes, such as data processing or configuration management. Review the context of the script execution and verify the source and intent before flagging it as malicious. +- Scripts that automate complex tasks might use obfuscation-like patterns to handle data securely or efficiently. Consider whitelisting known scripts or trusted sources to reduce false positives. +- Development and testing environments often run scripts with obfuscation patterns for testing purposes. Exclude these environments from the rule or create exceptions for specific users or groups involved in development. +- Security tools and monitoring solutions might generate PowerShell scripts with obfuscation patterns as part of their normal operation. Identify these tools and exclude their activities from triggering the rule. +- Regularly update the list of exceptions and whitelisted scripts to ensure that new legitimate scripts are not mistakenly flagged as threats. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potentially malicious scripts. +- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activity. +- Conduct a thorough review of the PowerShell script block logs to identify and remove any obfuscated scripts or malicious code remnants. +- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. +- Update and patch the affected system to ensure all security vulnerabilities are addressed, reducing the risk of exploitation. +- Monitor the system and network for any signs of re-infection or similar obfuscation patterns to ensure the threat has been fully mitigated. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = ["https://github.com/danielbohannon/Invoke-Obfuscation"] risk_score = 47 rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a" @@ -39,7 +72,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -68,41 +108,7 @@ event.category:process and host.os.type:windows and ("System.Management.Automation.$([cHAr]" or "System.$([cHAr]" or ")+[cHAR]([byte]") ) ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential PowerShell Obfuscated Script - -PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its flexibility to obfuscate scripts, evading security measures like AMSI. The detection rule identifies obfuscation patterns, such as string manipulation and encoding techniques, to flag potentially malicious scripts, aiding in defense evasion detection. - -### Possible investigation steps - -- Review the PowerShell script block text captured in the alert to identify any suspicious patterns or obfuscation techniques, such as string manipulation or encoding methods like "[string]::join" or "-Join". -- Check the process execution details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed. -- Investigate the source and destination of the script execution by examining the host and user details to determine if the activity aligns with expected behavior or if it originates from an unusual or unauthorized source. -- Analyze any network connections or file modifications associated with the PowerShell process to identify potential data exfiltration or lateral movement activities. -- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify any related suspicious activities. -- Assess the risk and impact of the detected activity by considering the severity and risk score provided in the alert, and determine if immediate remediation actions are necessary. - -### False positive analysis - -- Legitimate administrative scripts may use string manipulation and encoding techniques for benign purposes, such as data processing or configuration management. Review the context of the script execution and verify the source and intent before flagging it as malicious. -- Scripts that automate complex tasks might use obfuscation-like patterns to handle data securely or efficiently. Consider whitelisting known scripts or trusted sources to reduce false positives. -- Development and testing environments often run scripts with obfuscation patterns for testing purposes. Exclude these environments from the rule or create exceptions for specific users or groups involved in development. -- Security tools and monitoring solutions might generate PowerShell scripts with obfuscation patterns as part of their normal operation. Identify these tools and exclude their activities from triggering the rule. -- Regularly update the list of exceptions and whitelisted scripts to ensure that new legitimate scripts are not mistakenly flagged as threats. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potentially malicious scripts. -- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activity. -- Conduct a thorough review of the PowerShell script block logs to identify and remove any obfuscated scripts or malicious code remnants. -- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. -- Update and patch the affected system to ensure all security vulnerabilities are addressed, reducing the risk of exploitation. -- Monitor the system and network for any signs of re-infection or similar obfuscation patterns to ensure the threat has been fully mitigated. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" @@ -121,8 +127,6 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 9d74159faf4..dfe1ced0f80 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 2521ce2dc82..583d589cba8 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index d76195296cf..353a2156cb7 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,51 @@ Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard ( binary execution via malicious process arguments. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Microsoft Diagnostics Wizard Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Microsoft Diagnostics Wizard Execution + +The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool used for diagnosing and resolving issues within Windows environments. However, adversaries can exploit MSDT to execute malicious commands by manipulating its process arguments, effectively using it as a proxy for harmful activities. The detection rule identifies such abuse by monitoring for unusual execution patterns, such as atypical file paths, unexpected parent processes, and non-standard executable locations, which are indicative of potential misuse. This proactive detection helps in mitigating risks associated with defense evasion tactics. + +### Possible investigation steps + +- Review the process arguments to identify any suspicious patterns, such as "IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", or "*FromBase64*", which may indicate malicious intent. +- Examine the parent process of msdt.exe to determine if it was launched by an unexpected or potentially malicious process like cmd.exe, powershell.exe, or mshta.exe. +- Check the file path of the msdt.exe executable to ensure it matches the standard locations (?:\\Windows\\system32\\msdt.exe or ?:\\Windows\\SysWOW64\\msdt.exe) and investigate any deviations. +- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or patterns. +- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate action is required to mitigate potential threats. + +### False positive analysis + +- Legitimate troubleshooting activities by IT staff using MSDT may trigger alerts. To manage this, create exceptions for known IT user accounts or specific machines frequently used for diagnostics. +- Automated scripts or software updates that utilize MSDT for legitimate purposes can cause false positives. Identify these scripts and whitelist their execution paths or parent processes. +- Custom diagnostic tools that leverage MSDT might be flagged. Review these tools and exclude their specific process arguments or executable paths if they are verified as safe. +- Non-standard installations of MSDT in custom environments could be misidentified. Ensure that any legitimate non-standard paths are documented and excluded from monitoring. +- Frequent use of MSDT in virtualized environments for testing purposes may lead to alerts. Consider excluding these environments or specific virtual machines from the rule. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate the suspicious msdt.exe process to stop any ongoing malicious execution. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. +- Review and analyze the process arguments and parent processes associated with the msdt.exe execution to identify potential entry points or related malicious activities. +- Restore any affected files or system components from a known good backup to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. +- Implement enhanced monitoring and logging for msdt.exe and related processes to detect and respond to similar threats in the future.""" references = [ "https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", @@ -53,41 +92,6 @@ process where host.os.type == "windows" and event.type == "start" and (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Microsoft Diagnostics Wizard Execution - -The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool used for diagnosing and resolving issues within Windows environments. However, adversaries can exploit MSDT to execute malicious commands by manipulating its process arguments, effectively using it as a proxy for harmful activities. The detection rule identifies such abuse by monitoring for unusual execution patterns, such as atypical file paths, unexpected parent processes, and non-standard executable locations, which are indicative of potential misuse. This proactive detection helps in mitigating risks associated with defense evasion tactics. - -### Possible investigation steps - -- Review the process arguments to identify any suspicious patterns, such as "IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", or "*FromBase64*", which may indicate malicious intent. -- Examine the parent process of msdt.exe to determine if it was launched by an unexpected or potentially malicious process like cmd.exe, powershell.exe, or mshta.exe. -- Check the file path of the msdt.exe executable to ensure it matches the standard locations (?:\\Windows\\system32\\msdt.exe or ?:\\Windows\\SysWOW64\\msdt.exe) and investigate any deviations. -- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or patterns. -- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate action is required to mitigate potential threats. - -### False positive analysis - -- Legitimate troubleshooting activities by IT staff using MSDT may trigger alerts. To manage this, create exceptions for known IT user accounts or specific machines frequently used for diagnostics. -- Automated scripts or software updates that utilize MSDT for legitimate purposes can cause false positives. Identify these scripts and whitelist their execution paths or parent processes. -- Custom diagnostic tools that leverage MSDT might be flagged. Review these tools and exclude their specific process arguments or executable paths if they are verified as safe. -- Non-standard installations of MSDT in custom environments could be misidentified. Ensure that any legitimate non-standard paths are documented and excluded from monitoring. -- Frequent use of MSDT in virtualized environments for testing purposes may lead to alerts. Consider excluding these environments or specific virtual machines from the rule. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate the suspicious msdt.exe process to stop any ongoing malicious execution. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. -- Review and analyze the process arguments and parent processes associated with the msdt.exe execution to identify potential entry points or related malicious activities. -- Restore any affected files or system components from a known good backup to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. -- Implement enhanced monitoring and logging for msdt.exe and related processes to detect and respond to similar threats in the future.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 00de7eaa076..66566945113 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,41 +19,11 @@ index = [ "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "endgame-*" + "endgame-*", ] language = "eql" license = "Elastic License v2" name = "DNS Global Query Block List Modified or Disabled" -references = [ - "https://cube0x0.github.io/Pocing-Beyond-DA/", - "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", - "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/" -] -risk_score = 47 -rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and -( - (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or - (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad") -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +58,36 @@ The DNS Global Query Block List (GQBL) is a security feature in Windows environm - Monitor network traffic for signs of WPAD spoofing or other related attacks, and implement network segmentation to limit the impact of potential threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List, ensuring rapid detection and response to similar threats in the future.""" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", + "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/", +] +risk_score = 47 +rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and +( + (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or + (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad") +) +''' [[rule.threat]] @@ -109,8 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index b9666969c39..2b351c4f41b 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -2,9 +2,7 @@ creation_date = "2025/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,31 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "File with Right-to-Left Override Character (RTLO) Created/Executed" -risk_score = 47 -rule_id = "7e763fd1-228a-4d43-be88-3ffc14cd7de1" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and event.category in ("file", "process") and - ( - (event.type == "creation" and file.path : "*\u{202E}*") or - (event.type == "start" and process.name : "*\u{202E}*") - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +58,31 @@ The RTLO character reverses text direction, often used to disguise file extensio - Review and analyze system logs and security alerts to determine the extent of the compromise and identify any lateral movement or additional affected systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. - Implement enhanced monitoring and detection rules to identify future attempts to use RTLO characters for masquerading, ensuring that similar threats are detected promptly.""" +risk_score = 47 +rule_id = "7e763fd1-228a-4d43-be88-3ffc14cd7de1" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.category in ("file", "process") and + ( + (event.type == "creation" and file.path : "*\u{202E}*") or + (event.type == "start" and process.name : "*\u{202E}*") + ) +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index 53311fc30f5..6c2740ef0c5 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,32 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Alternate Data Stream Creation/Execution at Volume Root Directory" -references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"] -risk_score = 47 -rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and event.category in ("file", "process") and - ( - (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or - (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""") - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +58,32 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple streams - Restore affected files from a known good backup to ensure system integrity and remove any compromised data. - Monitor network traffic for unusual patterns or connections that may indicate ongoing malicious activity or data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"] +risk_score = 47 +rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.category in ("file", "process") and + ( + (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or + (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""") + ) +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 6979c9fba8b..03fa7fb9c36 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index 3bb8cbf9a1c..e543bd70b60 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -2,51 +2,24 @@ creation_date = "2024/07/16" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/10" +updated_date = "2025/03/20" [rule] author = ["Elastic"] -description = """ -Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users. -""" +description = "Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.\n" from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Service DACL Modification via sc.exe" -references = [ - "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/" -] -risk_score = 47 -rule_id = "5188c68e-d3de-4e96-994d-9e242269446f" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "sc.exe" or ?process.pe.original_file_name : "sc.exe") and - process.args : "sdset" and process.args : "*D;*" and - process.args : ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,37 @@ The `sc.exe` utility in Windows is used to manage services, including modifying - Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify service DACLs, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. - Review and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.""" +references = [ + "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", +] +risk_score = 47 +rule_id = "5188c68e-d3de-4e96-994d-9e242269446f" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "sc.exe" or ?process.pe.original_file_name : "sc.exe") and + process.args : "sdset" and process.args : "*D;*" and + process.args : ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*") +''' [[rule.threat]] @@ -93,12 +97,10 @@ name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index e809d1593fe..78e006e81d4 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,38 +12,17 @@ move laterally or persist locally. The AT command has been deprecated since Wind exists for backwards compatibility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" -references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] -risk_score = 47 -rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", - "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" - ) and registry.data.strings : ("1", "0x00000001") -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +57,34 @@ The AT command, a legacy Windows utility, schedules tasks for execution, often u - Monitor network traffic and logs for any signs of data exfiltration or communication with known malicious IP addresses or domains. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly.""" +references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] +risk_score = 47 +rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" + ) and registry.data.strings : ("1", "0x00000001") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index efb57856d50..37e27fdbfa7 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,16 +2,13 @@ creation_date = "2020/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. -Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed -binaries. +Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries +may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. """ from = "now-9m" index = [ @@ -25,6 +22,39 @@ index = [ language = "eql" license = "Elastic License v2" name = "Script Execution via Microsoft HTML Application" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Script Execution via Microsoft HTML Application + +Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, often using utilities like `rundll32.exe` or `mshta.exe`. Adversaries exploit this by executing malicious scripts under the guise of legitimate processes, bypassing defenses. The detection rule identifies suspicious script execution patterns, such as unusual command lines or execution from common download locations, to flag potential abuse. + +### Possible investigation steps + +- Review the process command line details to identify any suspicious patterns or indicators of malicious activity, such as the presence of script execution commands like "eval", "GetObject", or "WScript.Shell". +- Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller. +- Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive. +- Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is "mshta.exe" and the command line does not include typical HTA or HTM file references. +- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern. + +### False positive analysis + +- Execution of legitimate scripts by enterprise applications like Citrix, Microsoft Office, or Quokka.Works GTInstaller can trigger false positives. Users can mitigate this by adding these applications to the exclusion list in the detection rule. +- Scripts executed by mshta.exe that do not involve malicious intent, such as internal web applications or administrative scripts, may be flagged. Users should review these scripts and, if deemed safe, exclude them based on specific command line patterns or parent processes. +- HTA files downloaded from trusted internal sources or vendors might be mistakenly identified as threats. Users can create exceptions for these sources by specifying trusted download paths or file hashes. +- Temporary files created by legitimate software installations or updates in user temp directories can be misinterpreted as malicious. Users should monitor these activities and exclude known safe processes or directories from the detection rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread of the malicious script or unauthorized access. +- Terminate any suspicious processes identified by the detection rule, specifically those involving `rundll32.exe` or `mshta.exe` with unusual command lines. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. +- Review and analyze the command lines and scripts executed to understand the scope and intent of the attack, and identify any additional compromised systems. +- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. +- Implement network segmentation to limit the ability of similar threats to propagate across the network in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.""" risk_score = 73 rule_id = "181f6b23-3799-445e-9589-0018328a9e46" severity = "high" @@ -80,39 +110,6 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("?:\\Users\\*\\Temp\\7z*", "?:\\Users\\*\\Temp\\Rar$*", "?:\\Users\\*\\Temp\\Temp?_*", "?:\\Users\\*\\Temp\\BNZ.*")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Script Execution via Microsoft HTML Application - -Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, often using utilities like `rundll32.exe` or `mshta.exe`. Adversaries exploit this by executing malicious scripts under the guise of legitimate processes, bypassing defenses. The detection rule identifies suspicious script execution patterns, such as unusual command lines or execution from common download locations, to flag potential abuse. - -### Possible investigation steps - -- Review the process command line details to identify any suspicious patterns or indicators of malicious activity, such as the presence of script execution commands like "eval", "GetObject", or "WScript.Shell". -- Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller. -- Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive. -- Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is "mshta.exe" and the command line does not include typical HTA or HTM file references. -- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern. - -### False positive analysis - -- Execution of legitimate scripts by enterprise applications like Citrix, Microsoft Office, or Quokka.Works GTInstaller can trigger false positives. Users can mitigate this by adding these applications to the exclusion list in the detection rule. -- Scripts executed by mshta.exe that do not involve malicious intent, such as internal web applications or administrative scripts, may be flagged. Users should review these scripts and, if deemed safe, exclude them based on specific command line patterns or parent processes. -- HTA files downloaded from trusted internal sources or vendors might be mistakenly identified as threats. Users can create exceptions for these sources by specifying trusted download paths or file hashes. -- Temporary files created by legitimate software installations or updates in user temp directories can be misinterpreted as malicious. Users should monitor these activities and exclude known safe processes or directories from the detection rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread of the malicious script or unauthorized access. -- Terminate any suspicious processes identified by the detection rule, specifically those involving `rundll32.exe` or `mshta.exe` with unusual command lines. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. -- Review and analyze the command lines and scripts executed to understand the scope and intent of the attack, and identify any additional compromised systems. -- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. -- Implement network segmentation to limit the ability of similar threats to propagate across the network in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.""" [[rule.threat]] @@ -121,11 +118,11 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 0afe8f45790..bfc81a4731a 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility file overwrite and rename operations. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 04bde56d0d8..434c2d6eb33 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,41 +12,17 @@ Windows cryptographic system to validate file signatures on the system. This may validation checks or inject code into critical processes. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "SIP Provider Modification" -references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] -risk_score = 47 -rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and - registry.path: ( - "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", - "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", - "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll", - "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll" - ) and - registry.data.strings:"*.dll" and - not (process.name : "msiexec.exe" and registry.data.strings : "mso.dll") and - not (process.name : "regsvr32.exe" and registry.data.strings == "WINTRUST.DLL") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +57,37 @@ Subject Interface Package (SIP) providers are integral to Windows' cryptographic - Review and update endpoint protection policies to ensure that similar unauthorized modifications are detected and blocked in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" +references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] +risk_score = 47 +rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and + registry.path: ( + "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", + "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll" + ) and + registry.data.strings:"*.dll" and + not (process.name : "msiexec.exe" and registry.data.strings : "mso.dll") and + not (process.name : "regsvr32.exe" and registry.data.strings == "WINTRUST.DLL") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 9a2b2cf07ba..d4273cdccf1 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,52 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab technique to manipulate relevant security services. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SolarWinds Process Disabling Services via Registry + +SolarWinds software is integral for network management, often requiring deep system access. Adversaries may exploit this by altering registry settings to disable critical services, evading detection. The detection rule identifies changes to service start types by specific SolarWinds processes, flagging potential misuse aimed at disabling security defenses. This proactive monitoring helps mitigate risks associated with unauthorized registry modifications. + +### Possible investigation steps + +- Review the process name involved in the alert to confirm it matches one of the specified SolarWinds processes, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe". +- Examine the registry path in the alert to ensure it corresponds to the critical service start type locations, such as "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start". +- Check the registry data value to verify if it has been set to "4" (disabled), indicating a potential attempt to disable a service. +- Investigate the timeline of the registry change event to identify any preceding or subsequent suspicious activities on the host. +- Correlate the alert with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activities or patterns. +- Assess the impacted service to determine its role in security operations and evaluate the potential impact of it being disabled. +- Contact the system owner or administrator to verify if the registry change was authorized or part of a legitimate maintenance activity. + +### False positive analysis + +- Routine updates or maintenance by SolarWinds software may trigger registry changes. Verify if the process corresponds to a scheduled update or maintenance task and consider excluding these specific processes during known maintenance windows. +- Legitimate configuration changes by IT administrators using SolarWinds tools can appear as registry modifications. Confirm with the IT team if the changes align with authorized configuration activities and create exceptions for these known activities. +- Automated scripts or tools that utilize SolarWinds processes for legitimate network management tasks might cause false positives. Review the scripts or tools in use and whitelist them if they are verified as safe and necessary for operations. +- Temporary service modifications for troubleshooting purposes by SolarWinds processes can be mistaken for malicious activity. Ensure that any troubleshooting activities are documented and create temporary exceptions during these periods. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized registry modifications and potential lateral movement by the adversary. +- Terminate any suspicious SolarWinds processes identified in the alert, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe", to halt any ongoing malicious activity. +- Restore the registry settings for the affected services to their original state, ensuring that critical security services are re-enabled and configured to start automatically. +- Conduct a thorough review of the affected system for additional signs of compromise, including unauthorized user accounts, scheduled tasks, or other persistence mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. +- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint. +- Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", ] @@ -57,41 +97,6 @@ registry where host.os.type == "windows" and event.type == "change" and registry ) and registry.data.strings : ("4", "0x00000004") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating SolarWinds Process Disabling Services via Registry - -SolarWinds software is integral for network management, often requiring deep system access. Adversaries may exploit this by altering registry settings to disable critical services, evading detection. The detection rule identifies changes to service start types by specific SolarWinds processes, flagging potential misuse aimed at disabling security defenses. This proactive monitoring helps mitigate risks associated with unauthorized registry modifications. - -### Possible investigation steps - -- Review the process name involved in the alert to confirm it matches one of the specified SolarWinds processes, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe". -- Examine the registry path in the alert to ensure it corresponds to the critical service start type locations, such as "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start". -- Check the registry data value to verify if it has been set to "4" (disabled), indicating a potential attempt to disable a service. -- Investigate the timeline of the registry change event to identify any preceding or subsequent suspicious activities on the host. -- Correlate the alert with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activities or patterns. -- Assess the impacted service to determine its role in security operations and evaluate the potential impact of it being disabled. -- Contact the system owner or administrator to verify if the registry change was authorized or part of a legitimate maintenance activity. - -### False positive analysis - -- Routine updates or maintenance by SolarWinds software may trigger registry changes. Verify if the process corresponds to a scheduled update or maintenance task and consider excluding these specific processes during known maintenance windows. -- Legitimate configuration changes by IT administrators using SolarWinds tools can appear as registry modifications. Confirm with the IT team if the changes align with authorized configuration activities and create exceptions for these known activities. -- Automated scripts or tools that utilize SolarWinds processes for legitimate network management tasks might cause false positives. Review the scripts or tools in use and whitelist them if they are verified as safe and necessary for operations. -- Temporary service modifications for troubleshooting purposes by SolarWinds processes can be mistaken for malicious activity. Ensure that any troubleshooting activities are documented and create temporary exceptions during these periods. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized registry modifications and potential lateral movement by the adversary. -- Terminate any suspicious SolarWinds processes identified in the alert, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe", to halt any ongoing malicious activity. -- Restore the registry settings for the affected services to their original state, ensuring that critical security services are re-enabled and configured to start automatically. -- Conduct a thorough review of the affected system for additional signs of compromise, including unauthorized user accounts, scheduled tasks, or other persistence mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. -- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint. -- Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index ae8a631e1a4..d31877d1658 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 5d6f59d9c2b..8d702affb0a 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,41 +15,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious Execution from a Mounted Device" -references = [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", -] -risk_score = 47 -rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and - (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and - process.parent.name : "explorer.exe" and - process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", - "cscript.exe", "wscript.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +50,41 @@ In Windows environments, script interpreters and signed binaries are essential f - Update and patch the system to close any vulnerabilities that may have been exploited by the attacker. - Monitor for any recurrence of similar activities by enhancing logging and alerting mechanisms, focusing on process execution from non-standard directories. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", +] +risk_score = 47 +rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and + (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and + process.parent.name : "explorer.exe" and + process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", + "cscript.exe", "wscript.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index f7dc5f1cb3b..30a19f5a7ff 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,43 +11,18 @@ Identifies a suspicious managed code hosting process which could indicate code i code execution. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-crowdstrike.fdr*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" -references = [ - "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", -] -risk_score = 73 -rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.name : ("wscript.exe.log", - "cscript.exe.log", - "mshta.exe.log", - "wmic.exe.log", - "svchost.exe.log", - "dllhost.exe.log", - "cmstp.exe.log", - "regsvr32.exe.log") -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +58,39 @@ Managed code hosting processes like wscript.exe, cscript.exe, and others are int - Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope and impact of the incident. - Notify the security operations center (SOC) or incident response team to escalate the incident for further investigation and to determine if additional systems are affected. - Implement additional monitoring and detection rules to enhance visibility and prevent similar threats in the future, focusing on the specific processes and behaviors identified in the alert.""" +references = [ + "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", +] +risk_score = 73 +rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.name : ("wscript.exe.log", + "cscript.exe.log", + "mshta.exe.log", + "wmic.exe.log", + "svchost.exe.log", + "dllhost.exe.log", + "cmstp.exe.log", + "regsvr32.exe.log") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 5d6fd9988b6..3c06a0f9e98 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 29082352f01..d6f9837abe0 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index b5b791d4e43..8b30df05e2c 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Suspicious Script Object Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Script Object Execution + +The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection. + +### Possible investigation steps + +- Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query. +- Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior. +- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. +- Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert. +- Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity. +- Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior. + +### False positive analysis + +- Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule. +- Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe. +- Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule. +- Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring. + +### Response and remediation + +- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. +- Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files. +- Review and restore any altered system configurations or settings to their default state to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule. +- Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed.""" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" @@ -58,40 +90,6 @@ any where host.os.type == "windows" and "?:\\Windows\\System32\\wbem\\WMIADAP.exe", "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Script Object Execution - -The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection. - -### Possible investigation steps - -- Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query. -- Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior. -- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. -- Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert. -- Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity. -- Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior. - -### False positive analysis - -- Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule. -- Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe. -- Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule. -- Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring. - -### Response and remediation - -- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. -- Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files. -- Review and restore any altered system configurations or settings to their default state to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule. -- Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 68ef0312a42..655aa605ba2 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,13 @@ is often done by adversaries while staging, executing temporary utilities, or tr on the process name. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Renamed Utility Executed with Short Program Name" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 1320e4cf3c8..45706563ed1 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,30 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" -risk_score = 47 -rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan = 2m -[process where host.os.type == "windows" and event.type == "start" and - (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and - process.args : ("format*:*", "/format*:*", "*-format*:*") and - not process.command_line : ("* /format:table *", "* /format:table")] -[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and - (?dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +55,30 @@ Windows Management Instrumentation Command-line (WMIC) is a powerful tool for ma - Restore the system from a known good backup if any critical system files or configurations have been altered. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan = 2m +[process where host.os.type == "windows" and event.type == "start" and + (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and + process.args : ("format*:*", "/format*:*", "*-format*:*") and + not process.command_line : ("* /format:table *", "* /format:table")] +[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (?dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 71b4c64cb85..2b461a36b16 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -148,7 +146,6 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -161,3 +158,4 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 81e748f1336..8fd05571fe0 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies an unexpected executable file being created or modified by a Windows indicate activity related to remote code execution or other forms of exploitation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Executable File Creation by a System Critical Process" diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 6275f2f64c5..bc76473b45b 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "File Creation Time Changed" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File Creation Time Changed +File creation timestamps are crucial for tracking file history and integrity. Adversaries may alter these timestamps, a tactic known as timestomping, to disguise malicious files as benign. This detection rule leverages Sysmon logs to identify suspicious changes in file creation times, excluding trusted processes and file types, thus highlighting potential evasion attempts by attackers. + +### Possible investigation steps + +- Review the Sysmon logs to confirm the event code 2, which indicates a file creation time change, and verify the associated process and file details. +- Identify the process executable path that triggered the alert and determine if it is outside the list of trusted paths specified in the query. +- Check the file extension and name to ensure they are not part of the excluded types such as "temp", "tmp", or "LOG". +- Investigate the user account associated with the event to determine if it is a non-system account, as the query excludes "SYSTEM", "Local Service", and "Network Service". +- Correlate the file creation time change event with other security events or logs to identify any related suspicious activities or patterns. +- Assess the file's location and context to determine if it is in a sensitive or unusual directory that could indicate malicious intent. +- If necessary, perform a deeper forensic analysis on the file and process to identify any potential malicious behavior or indicators of compromise. + +### False positive analysis + +- Trusted software updates or installations may alter file creation times. Exclude known update processes like msiexec.exe from detection to reduce noise. +- System maintenance tasks, such as disk cleanup, can modify timestamps. Exclude cleanmgr.exe to prevent these benign changes from triggering alerts. +- User-initiated actions in trusted applications like Chrome or Firefox might change file creation times. Exclude these applications to avoid unnecessary alerts. +- Temporary files created by legitimate processes may have altered timestamps. Exclude file extensions like temp and tmp to minimize false positives. +- System accounts such as SYSTEM or Local Service may perform legitimate file operations. Exclude these user names to focus on suspicious activities. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement by the adversary. +- Conduct a thorough review of the file in question to determine if it is malicious. Use a combination of antivirus scans and manual analysis to assess the file's behavior and origin. +- If the file is confirmed to be malicious, remove it from the system and any other locations it may have been copied to. Ensure that all associated processes are terminated. +- Restore any affected files from a known good backup to ensure data integrity and continuity. +- Review and update endpoint protection settings to ensure that similar threats are detected and blocked in the future. This may include adjusting Sysmon configurations to enhance logging and detection capabilities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised. +- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases with any new indicators of compromise (IOCs) identified.""" risk_score = 47 rule_id = "166727ab-6768-4e26-b80c-948b228ffc06" severity = "medium" @@ -55,41 +88,6 @@ file where host.os.type == "windows" and not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating File Creation Time Changed -File creation timestamps are crucial for tracking file history and integrity. Adversaries may alter these timestamps, a tactic known as timestomping, to disguise malicious files as benign. This detection rule leverages Sysmon logs to identify suspicious changes in file creation times, excluding trusted processes and file types, thus highlighting potential evasion attempts by attackers. - -### Possible investigation steps - -- Review the Sysmon logs to confirm the event code 2, which indicates a file creation time change, and verify the associated process and file details. -- Identify the process executable path that triggered the alert and determine if it is outside the list of trusted paths specified in the query. -- Check the file extension and name to ensure they are not part of the excluded types such as "temp", "tmp", or "LOG". -- Investigate the user account associated with the event to determine if it is a non-system account, as the query excludes "SYSTEM", "Local Service", and "Network Service". -- Correlate the file creation time change event with other security events or logs to identify any related suspicious activities or patterns. -- Assess the file's location and context to determine if it is in a sensitive or unusual directory that could indicate malicious intent. -- If necessary, perform a deeper forensic analysis on the file and process to identify any potential malicious behavior or indicators of compromise. - -### False positive analysis - -- Trusted software updates or installations may alter file creation times. Exclude known update processes like msiexec.exe from detection to reduce noise. -- System maintenance tasks, such as disk cleanup, can modify timestamps. Exclude cleanmgr.exe to prevent these benign changes from triggering alerts. -- User-initiated actions in trusted applications like Chrome or Firefox might change file creation times. Exclude these applications to avoid unnecessary alerts. -- Temporary files created by legitimate processes may have altered timestamps. Exclude file extensions like temp and tmp to minimize false positives. -- System accounts such as SYSTEM or Local Service may perform legitimate file operations. Exclude these user names to focus on suspicious activities. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement by the adversary. -- Conduct a thorough review of the file in question to determine if it is malicious. Use a combination of antivirus scans and manual analysis to assess the file's behavior and origin. -- If the file is confirmed to be malicious, remove it from the system and any other locations it may have been copied to. Ensure that all associated processes are terminated. -- Restore any affected files from a known good backup to ensure data integrity and continuity. -- Review and update endpoint protection settings to ensure that similar threats are detected and blocked in the future. This may include adjusting Sysmon configurations to enhance logging and detection capabilities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised. -- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases with any new indicators of compromise (IOCs) identified.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index c8905c48390..02065898392 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies suspicious creation of Alternate Data Streams on highly targeted file and sometimes done by adversaries to hide malware. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Unusual File Creation - Alternate Data Stream" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2f097277e2f..4624bd3738f 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,33 +11,18 @@ Identifies processes running from an Alternate Data Stream. This is uncommon for by adversaries to hide malware. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" -risk_score = 47 -rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.args : "?:\\*:*" and process.args_count == 1 -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,6 +58,29 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple data str - Restore any affected files or systems from known good backups to ensure system integrity. - Monitor the network for any unusual outbound traffic from the affected system that may indicate data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.""" +risk_score = 47 +rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.args : "?:\\*:*" and process.args_count == 1 +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 28aae9651a0..cb995466265 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,35 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via DllHost" -references = [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", -] -risk_score = 47 -rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id, process.entity_id with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1] - [network where host.os.type == "windows" and process.name : "dllhost.exe" and - not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", - "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", - "FF00::/8")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +53,35 @@ Dllhost.exe is a legitimate Windows process used to host DLL services. Adversari - Restore the affected system from a known good backup to ensure that any potential backdoors or persistent threats are removed. - Implement network segmentation to limit the ability of similar threats to spread across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional organizational measures are required.""" +references = [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", +] +risk_score = 47 +rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id, process.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1] + [network where host.os.type == "windows" and process.name : "dllhost.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8")] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index f18055065db..537786d54dd 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 104bf15fb9a..cf511fd46e4 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index b1eadcddb61..a63865675de 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,30 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" -risk_score = 73 -rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.pid == 4 and process.executable : "?*" and - not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +57,30 @@ In Windows environments, the System process (PID 4) is a critical component resp - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through other means. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar environments to detect any recurrence of the threat, focusing on process creation events and anomalies related to the System process.""" +risk_score = 73 +rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.pid == 4 and process.executable : "?*" and + not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 03aed7c87b2..0d11cba34b2 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "system"] maturity = "production" -updated_date = "2025/02/24" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 8b47ab9f875..700431e7ee8 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,9 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies the creation of a Windows Defender Application Control (WDAC) policy may use a secially crafted WDAC policy to restrict the execution of security products. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "WDAC Policy File by an Unusual Process" @@ -46,7 +51,7 @@ note = """## Triage and analysis """ references = [ "https://github.com/logangoins/Krueger/tree/main", - "https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/" + "https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/", ] risk_score = 73 rule_id = "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52" @@ -81,8 +86,8 @@ name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 85d7318e9ac..2b3015a7db9 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,9 +2,7 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,42 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Evasion via Windows Filtering Platform + +The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. + +### Possible investigation steps + +- Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked. +- Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query. +- Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue. +- Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications. +- Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack. +- Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert. +- Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events. + +### False positive analysis + +- Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts. +- Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts. +- Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats. +- Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences. +- Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration. +- Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations. +- Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes. +- Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats. +- Restore any affected security software to its default configuration and ensure it is fully operational and updated. +- Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://github.com/dsnezhkov/shutter/tree/main", "https://github.com/netero1010/EDRSilencer/tree/main", @@ -98,42 +132,6 @@ sequence by winlog.computer_name with maxspan=1m "splunk.exe", "sysmon.exe", "sysmon64.exe", "taniumclient.exe" )] with runs=5 ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Evasion via Windows Filtering Platform - -The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. - -### Possible investigation steps - -- Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked. -- Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query. -- Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue. -- Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications. -- Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack. -- Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert. -- Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events. - -### False positive analysis - -- Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts. -- Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts. -- Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats. -- Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences. -- Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration. -- Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations. -- Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes. -- Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats. -- Restore any affected security software to its default configuration and ensure it is fully operational and updated. -- Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index b420a15a18f..d66cd9d3ee7 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index fcad58baebe..f0dae674a7e 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -24,6 +22,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Windows Subsystem for Linux" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Execution via Windows Subsystem for Linux + +Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats. + +### Possible investigation steps + +- Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question. +- Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe. +- Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl. +- Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident. + +### False positive analysis + +- Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise. +- Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes. +- Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts. +- Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list. +- Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments. +- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations. +- Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment. +- Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" references = [ "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", @@ -67,40 +99,6 @@ process where host.os.type == "windows" and event.type : "start" and ) and not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Execution via Windows Subsystem for Linux - -Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats. - -### Possible investigation steps - -- Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question. -- Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe. -- Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl. -- Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident. - -### False positive analysis - -- Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise. -- Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes. -- Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts. -- Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list. -- Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments. -- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations. -- Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment. -- Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index cd43a1c7678..a8fa622b30f 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via Windows Subsystem for Linux" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Execution via Windows Subsystem for Linux + +Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute malicious scripts or binaries, bypassing traditional Windows security mechanisms. The detection rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion. + +### Possible investigation steps + +- Review the process details to identify the executable path and determine if it matches any known malicious or suspicious binaries not listed in the safe executables. +- Investigate the parent process, specifically wsl.exe or wslhost.exe, to understand how the execution was initiated and if it aligns with expected user behavior or scheduled tasks. +- Check the user account associated with the process execution to verify if the activity is consistent with the user's typical behavior or if the account may have been compromised. +- Analyze the event dataset, especially if it is from crowdstrike.fdr, to gather additional context about the process execution and any related activities on the host. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or SentinelOne to identify any related suspicious activities or patterns. +- Assess the risk score and severity in the context of the organization's environment to prioritize the investigation and response actions accordingly. + +### False positive analysis + +- Legitimate administrative tasks using WSL may trigger alerts. Users can create exceptions for known administrative scripts or binaries that are frequently executed via WSL. +- Development environments often use WSL for compiling or testing code. Exclude specific development tools or scripts that are regularly used by developers to prevent unnecessary alerts. +- Automated system maintenance scripts running through WSL can be mistaken for malicious activity. Identify and whitelist these scripts to reduce false positives. +- Security tools or monitoring solutions that leverage WSL for legitimate purposes should be identified and excluded from detection to avoid interference with their operations. +- Frequent use of WSL by specific users or groups for non-malicious purposes can be managed by creating user-based exceptions, allowing their activities to proceed without triggering alerts. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified as being executed via WSL that are not part of the known safe executables list. +- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify unauthorized changes or installations. +- Remove any unauthorized or malicious scripts and binaries found within the WSL environment. +- Restore the system from a known good backup if malicious activity has compromised system integrity. +- Update and patch the system to ensure all software, including WSL, is up to date to mitigate known vulnerabilities. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" @@ -73,41 +106,6 @@ process where host.os.type == "windows" and event.type : "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Execution via Windows Subsystem for Linux - -Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute malicious scripts or binaries, bypassing traditional Windows security mechanisms. The detection rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion. - -### Possible investigation steps - -- Review the process details to identify the executable path and determine if it matches any known malicious or suspicious binaries not listed in the safe executables. -- Investigate the parent process, specifically wsl.exe or wslhost.exe, to understand how the execution was initiated and if it aligns with expected user behavior or scheduled tasks. -- Check the user account associated with the process execution to verify if the activity is consistent with the user's typical behavior or if the account may have been compromised. -- Analyze the event dataset, especially if it is from crowdstrike.fdr, to gather additional context about the process execution and any related activities on the host. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or SentinelOne to identify any related suspicious activities or patterns. -- Assess the risk score and severity in the context of the organization's environment to prioritize the investigation and response actions accordingly. - -### False positive analysis - -- Legitimate administrative tasks using WSL may trigger alerts. Users can create exceptions for known administrative scripts or binaries that are frequently executed via WSL. -- Development environments often use WSL for compiling or testing code. Exclude specific development tools or scripts that are regularly used by developers to prevent unnecessary alerts. -- Automated system maintenance scripts running through WSL can be mistaken for malicious activity. Identify and whitelist these scripts to reduce false positives. -- Security tools or monitoring solutions that leverage WSL for legitimate purposes should be identified and excluded from detection to avoid interference with their operations. -- Frequent use of WSL by specific users or groups for non-malicious purposes can be managed by creating user-based exceptions, allowing their activities to proceed without triggering alerts. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes identified as being executed via WSL that are not part of the known safe executables list. -- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify unauthorized changes or installations. -- Remove any unauthorized or malicious scripts and binaries found within the WSL environment. -- Restore the system from a known good backup if malicious activity has compromised system integrity. -- Update and patch the system to ensure all software, including WSL, is up to date to mitigate known vulnerabilities. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index d6481083cd5..3fbc2682614 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index f653d30cd3b..9e1a4126962 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,31 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Host Files System Changes via Windows Subsystem for Linux" -references = ["https://github.com/microsoft/WSL"] -risk_score = 47 -rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan=5m - [process where host.os.type == "windows" and event.type == "start" and - process.name : "dllhost.exe" and - /* Plan9FileSystem CLSID - WSL Host File System Worker */ - process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"] - [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +54,31 @@ Windows Subsystem for Linux (WSL) allows users to run a Linux environment direct - Update and patch the Windows Subsystem for Linux and related components to mitigate any known vulnerabilities that could be exploited. - Monitor for any recurrence of similar activities by setting up alerts for processes and file operations involving "dllhost.exe" and the Plan9FileSystem. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = ["https://github.com/microsoft/WSL"] +risk_score = 47 +rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + process.name : "dllhost.exe" and + /* Plan9FileSystem CLSID - WSL Host File System Worker */ + process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"] + [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 3c99fb56080..45c30daed9f 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Attempt to Install Kali Linux via WSL" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Attempt to Install Kali Linux via WSL + +Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to install Kali Linux, a penetration testing distribution, to evade detection by traditional Windows security tools. The detection rule identifies suspicious processes and file paths associated with Kali Linux installations, flagging potential misuse for defense evasion. + +### Possible investigation steps + +- Review the process details to confirm the presence of "wsl.exe" with arguments indicating an attempt to install or use Kali Linux, such as "-d", "--distribution", "-i", or "--install". +- Check the file paths associated with the Kali Linux installation, such as "?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*" or "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe", to verify if the installation files exist on the system. +- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Assess the risk and impact of the detected activity by considering the context of the environment and any potential threats posed by the use of Kali Linux on the system. + +### False positive analysis + +- Legitimate use of Kali Linux for development or educational purposes may trigger the rule. Users can create exceptions for specific user accounts or groups known to use Kali Linux for authorized activities. +- Automated scripts or deployment tools that install or configure Kali Linux as part of a legitimate IT process might be flagged. Consider whitelisting these scripts or processes by their hash or path. +- Security researchers or IT professionals conducting penetration testing on a Windows machine may cause false positives. Implement user-based exclusions for these professionals to prevent unnecessary alerts. +- System administrators testing WSL features with various Linux distributions, including Kali, could inadvertently trigger the rule. Establish a policy to document and approve such activities, then exclude them from detection. +- Training environments where Kali Linux is used to teach cybersecurity skills might be mistakenly flagged. Set up environment-specific exclusions to avoid disrupting educational activities. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent any potential lateral movement or data exfiltration. +- Terminate any suspicious processes related to the Kali Linux installation attempt, specifically those involving `wsl.exe` with arguments indicating a Kali distribution. +- Remove any unauthorized installations of Kali Linux by deleting associated files and directories, such as those found in `AppData\\\\Local\\\\packages\\\\kalilinux*` or `Program Files*\\\\WindowsApps\\\\KaliLinux.*`. +- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring and alerting for similar activities across the network, focusing on WSL usage and installation attempts of known penetration testing tools. +- Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender for Endpoint and Sysmon.""" references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" @@ -62,40 +94,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Attempt to Install Kali Linux via WSL - -Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to install Kali Linux, a penetration testing distribution, to evade detection by traditional Windows security tools. The detection rule identifies suspicious processes and file paths associated with Kali Linux installations, flagging potential misuse for defense evasion. - -### Possible investigation steps - -- Review the process details to confirm the presence of "wsl.exe" with arguments indicating an attempt to install or use Kali Linux, such as "-d", "--distribution", "-i", or "--install". -- Check the file paths associated with the Kali Linux installation, such as "?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*" or "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe", to verify if the installation files exist on the system. -- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. -- Assess the risk and impact of the detected activity by considering the context of the environment and any potential threats posed by the use of Kali Linux on the system. - -### False positive analysis - -- Legitimate use of Kali Linux for development or educational purposes may trigger the rule. Users can create exceptions for specific user accounts or groups known to use Kali Linux for authorized activities. -- Automated scripts or deployment tools that install or configure Kali Linux as part of a legitimate IT process might be flagged. Consider whitelisting these scripts or processes by their hash or path. -- Security researchers or IT professionals conducting penetration testing on a Windows machine may cause false positives. Implement user-based exclusions for these professionals to prevent unnecessary alerts. -- System administrators testing WSL features with various Linux distributions, including Kali, could inadvertently trigger the rule. Establish a policy to document and approve such activities, then exclude them from detection. -- Training environments where Kali Linux is used to teach cybersecurity skills might be mistakenly flagged. Set up environment-specific exclusions to avoid disrupting educational activities. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent any potential lateral movement or data exfiltration. -- Terminate any suspicious processes related to the Kali Linux installation attempt, specifically those involving `wsl.exe` with arguments indicating a Kali distribution. -- Remove any unauthorized installations of Kali Linux by deleting associated files and directories, such as those found in `AppData\\\\Local\\\\packages\\\\kalilinux*` or `Program Files*\\\\WindowsApps\\\\KaliLinux.*`. -- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement additional monitoring and alerting for similar activities across the network, focusing on WSL usage and installation attempts of known penetration testing tools. -- Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender for Endpoint and Sysmon.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 912dbf47093..04dda33d917 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,7 +17,7 @@ index = [ "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", - "logs-sentinel_one_cloud_funnel.*" + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 5f7fdd3601a..154f036722d 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index c6859be0da9..79c6b4eb5f0 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 6a9ece61262..95fbfd10cd0 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index fd505cadcf7..885e2d7cfcf 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 3c92026cfdc..3b6bcfb544f 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 383c06fb8ee..fee2c05afd0 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index e3f6379ae2d..52bb2e236f0 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,38 +15,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Access to LDAP Attributes" -risk_score = 73 -rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" -setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). -Steps to implement the logging policy with Advanced Audit Configuration: - -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -DS Access > -Audit Directory Service Changes (Success,Failure) -""" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Windows Security Event Logs", - "Data Source: Active Directory", - "Data Source: Windows", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and - winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000 -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +49,38 @@ LDAP (Lightweight Directory Access Protocol) is crucial for querying and modifyi - Implement additional monitoring on LDAP queries and Active Directory access to detect similar patterns of excessive attribute queries in the future. - Review and tighten access controls and permissions within Active Directory to ensure that only necessary attributes are accessible to users based on their roles. - Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence of similar threats.""" +risk_score = 73 +rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" +setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Windows Security Event Logs", + "Data Source: Active Directory", + "Data Source: Windows", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and + winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000 +''' [[rule.threat]] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 91b672472ac..dcc46b623ee 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index d445261d76b..5343b81ad59 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 01d1b468192..66ea6c6a21e 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -78,7 +76,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -117,13 +124,14 @@ event.category:process and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -135,6 +143,7 @@ id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -144,16 +153,17 @@ id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" -[[rule.threat.technique]] -id = "T1482" -name = "Domain Trust Discovery" -reference = "https://attack.mitre.org/techniques/T1482/" [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + [rule.threat.tactic] id = "TA0007" @@ -181,16 +191,14 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 971ad80ddf2..06b50368e98 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -165,33 +164,34 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."winlog.event_data.CallerProcessName"] -"case_insensitive" = true -"value" = "C:\\\\Program Files (x86)\\\\*.exe" - +case_insensitive = true +value = "C:\\\\Program Files (x86)\\\\*.exe" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."winlog.event_data.CallerProcessName"] -"case_insensitive" = true -"value" = "C:\\\\Program Files\\\\*.exe" - +case_insensitive = true +value = "C:\\\\Program Files\\\\*.exe" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -200,7 +200,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 17ddc8e276d..3ec86d9236d 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -76,7 +74,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", - "Data Source: Windows Security Event Logs" + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 3cc541369c6..74799bd0dbd 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Command Execution via SolarWinds Process + +SolarWinds is a widely used IT management tool that can be targeted by adversaries to execute unauthorized commands. Attackers may exploit SolarWinds processes to launch command-line interpreters like Cmd.exe or Powershell.exe, potentially leading to system compromise. The detection rule identifies suspicious child processes initiated by specific SolarWinds executables, flagging potential misuse by correlating process start events with known SolarWinds parent processes. This helps in early detection of malicious activities leveraging SolarWinds for command execution. + +### Possible investigation steps + +- Review the alert details to identify the specific SolarWinds parent process that initiated the suspicious child process (Cmd.exe or Powershell.exe) and note the exact executable name and path. +- Examine the timeline of events around the process start event to identify any preceding or subsequent suspicious activities, such as unusual network connections or file modifications. +- Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse. +- Investigate the command line arguments used by the child process to assess if they contain any malicious or unexpected commands. +- Correlate the event with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify potential patterns of malicious behavior. +- Assess the system's current state for any indicators of compromise, such as unauthorized changes to system configurations or the presence of known malware signatures. + +### False positive analysis + +- Routine administrative tasks using SolarWinds may trigger the rule when legitimate scripts are executed via Cmd.exe or Powershell.exe. Users can create exceptions for known maintenance scripts or tasks that are regularly scheduled and verified as safe. +- Automated updates or patches initiated by SolarWinds processes might be flagged. To mitigate this, users should whitelist specific update processes or scripts that are part of the regular update cycle. +- Monitoring or diagnostic activities performed by IT staff using SolarWinds tools can result in false positives. Establish a baseline of normal activities and exclude these from alerts by identifying and documenting regular diagnostic commands. +- Custom scripts developed for internal use that leverage SolarWinds processes could be misidentified as threats. Ensure these scripts are reviewed and approved, then add them to an exception list to prevent unnecessary alerts. +- Third-party integrations with SolarWinds that require command execution might be mistakenly flagged. Verify the legitimacy of these integrations and exclude their associated processes from detection rules. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. +- Terminate any suspicious child processes such as Cmd.exe or Powershell.exe that were initiated by the identified SolarWinds parent processes. +- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. +- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. +- Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities. +- Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc", @@ -63,41 +96,6 @@ process.parent.name: ( "SolarwindsDiagnostics*.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Command Execution via SolarWinds Process - -SolarWinds is a widely used IT management tool that can be targeted by adversaries to execute unauthorized commands. Attackers may exploit SolarWinds processes to launch command-line interpreters like Cmd.exe or Powershell.exe, potentially leading to system compromise. The detection rule identifies suspicious child processes initiated by specific SolarWinds executables, flagging potential misuse by correlating process start events with known SolarWinds parent processes. This helps in early detection of malicious activities leveraging SolarWinds for command execution. - -### Possible investigation steps - -- Review the alert details to identify the specific SolarWinds parent process that initiated the suspicious child process (Cmd.exe or Powershell.exe) and note the exact executable name and path. -- Examine the timeline of events around the process start event to identify any preceding or subsequent suspicious activities, such as unusual network connections or file modifications. -- Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse. -- Investigate the command line arguments used by the child process to assess if they contain any malicious or unexpected commands. -- Correlate the event with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify potential patterns of malicious behavior. -- Assess the system's current state for any indicators of compromise, such as unauthorized changes to system configurations or the presence of known malware signatures. - -### False positive analysis - -- Routine administrative tasks using SolarWinds may trigger the rule when legitimate scripts are executed via Cmd.exe or Powershell.exe. Users can create exceptions for known maintenance scripts or tasks that are regularly scheduled and verified as safe. -- Automated updates or patches initiated by SolarWinds processes might be flagged. To mitigate this, users should whitelist specific update processes or scripts that are part of the regular update cycle. -- Monitoring or diagnostic activities performed by IT staff using SolarWinds tools can result in false positives. Establish a baseline of normal activities and exclude these from alerts by identifying and documenting regular diagnostic commands. -- Custom scripts developed for internal use that leverage SolarWinds processes could be misidentified as threats. Ensure these scripts are reviewed and approved, then add them to an exception list to prevent unnecessary alerts. -- Third-party integrations with SolarWinds that require command execution might be mistakenly flagged. Verify the legitimacy of these integrations and exclude their associated processes from detection rules. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. -- Terminate any suspicious child processes such as Cmd.exe or Powershell.exe that were initiated by the identified SolarWinds parent processes. -- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. -- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. -- Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities. -- Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" [[rule.threat]] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index a3ec450fcf1..548fd088051 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-endpoint.events.process-*", "endgame-*", "logs-sentinel_one_cloud language = "eql" license = "Elastic License v2" name = "Suspicious SolarWinds Child Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious SolarWinds Child Process + +SolarWinds is a widely used IT management software that operates critical network and system monitoring functions. Adversaries may exploit its trusted processes to execute unauthorized programs, leveraging its elevated privileges to bypass security controls. The detection rule identifies unusual child processes spawned by SolarWinds' core services, excluding known legitimate operations, to flag potential malicious activity. + +### Possible investigation steps + +- Review the details of the triggered alert to identify the specific child process name and executable path that caused the alert. +- Check the parent process details, specifically SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, to confirm its legitimacy and ensure it is running from the expected directory. +- Investigate the child process's code signature to determine if it is trusted or if there are any anomalies in the signature that could indicate tampering. +- Analyze the historical activity of the suspicious child process on the host to identify any patterns or previous instances of execution that could provide context. +- Correlate the suspicious process activity with other security events or logs from the same host to identify any related malicious behavior or indicators of compromise. +- Consult threat intelligence sources to determine if the suspicious process or executable path is associated with known malware or adversary techniques. + +### False positive analysis + +- Legitimate SolarWinds updates or patches may trigger the rule. Ensure that the process code signature is verified as trusted and matches known update signatures. +- Custom scripts or tools integrated with SolarWinds for automation purposes might be flagged. Review these processes and add them to the exclusion list if they are verified as safe and necessary for operations. +- Third-party plugins or extensions that interact with SolarWinds could be misidentified. Validate these plugins and consider excluding them if they are from a trusted source and essential for functionality. +- Scheduled tasks or maintenance activities that involve SolarWinds processes may appear suspicious. Confirm these tasks are part of regular operations and exclude them if they are consistent with expected behavior. +- Temporary diagnostic or troubleshooting tools used by IT staff might be detected. Ensure these tools are authorized and add them to the exclusion list if they are frequently used and pose no threat. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious child processes identified that are not part of the known legitimate operations list, ensuring that no malicious programs continue to execute. +- Conduct a thorough review of the affected system's recent activity logs to identify any additional indicators of compromise or unauthorized changes. +- Restore the affected system from a known good backup to ensure that any potential malware or unauthorized changes are removed. +- Update all SolarWinds software and related components to the latest versions to patch any known vulnerabilities that could be exploited. +- Implement enhanced monitoring on the affected system and similar environments to detect any recurrence of suspicious activity, focusing on unusual child processes spawned by SolarWinds services. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts need to be addressed.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc", @@ -59,41 +92,6 @@ process where host.os.type == "windows" and event.type == "start" and ) and not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious SolarWinds Child Process - -SolarWinds is a widely used IT management software that operates critical network and system monitoring functions. Adversaries may exploit its trusted processes to execute unauthorized programs, leveraging its elevated privileges to bypass security controls. The detection rule identifies unusual child processes spawned by SolarWinds' core services, excluding known legitimate operations, to flag potential malicious activity. - -### Possible investigation steps - -- Review the details of the triggered alert to identify the specific child process name and executable path that caused the alert. -- Check the parent process details, specifically SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, to confirm its legitimacy and ensure it is running from the expected directory. -- Investigate the child process's code signature to determine if it is trusted or if there are any anomalies in the signature that could indicate tampering. -- Analyze the historical activity of the suspicious child process on the host to identify any patterns or previous instances of execution that could provide context. -- Correlate the suspicious process activity with other security events or logs from the same host to identify any related malicious behavior or indicators of compromise. -- Consult threat intelligence sources to determine if the suspicious process or executable path is associated with known malware or adversary techniques. - -### False positive analysis - -- Legitimate SolarWinds updates or patches may trigger the rule. Ensure that the process code signature is verified as trusted and matches known update signatures. -- Custom scripts or tools integrated with SolarWinds for automation purposes might be flagged. Review these processes and add them to the exclusion list if they are verified as safe and necessary for operations. -- Third-party plugins or extensions that interact with SolarWinds could be misidentified. Validate these plugins and consider excluding them if they are from a trusted source and essential for functionality. -- Scheduled tasks or maintenance activities that involve SolarWinds processes may appear suspicious. Confirm these tasks are part of regular operations and exclude them if they are consistent with expected behavior. -- Temporary diagnostic or troubleshooting tools used by IT staff might be detected. Ensure these tools are authorized and add them to the exclusion list if they are frequently used and pose no threat. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious child processes identified that are not part of the known legitimate operations list, ensuring that no malicious programs continue to execute. -- Conduct a thorough review of the affected system's recent activity logs to identify any additional indicators of compromise or unauthorized changes. -- Restore the affected system from a known good backup to ensure that any potential malware or unauthorized changes are removed. -- Update all SolarWinds software and related components to the latest versions to patch any known vulnerabilities that could be exploited. -- Implement enhanced monitoring on the affected system and similar environments to detect any recurrence of suspicious activity, focusing on unusual child processes spawned by SolarWinds services. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts need to be addressed.""" [[rule.threat]] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 5ae3834e292..403cac21081 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,6 +26,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Execution of COM object via Xwizard + +The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities. + +### Possible investigation steps + +- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields. +- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity. +- Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise. +- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes. +- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns. +- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation. + +### False positive analysis + +- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments. +- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths. +- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations. +- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution. +- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious. +- Restore the system from a known good backup if unauthorized changes or persistent threats are detected. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. +- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack. +- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" references = [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", @@ -67,40 +99,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Execution of COM object via Xwizard - -The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities. - -### Possible investigation steps - -- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields. -- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity. -- Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise. -- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes. -- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns. -- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation. - -### False positive analysis - -- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments. -- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths. -- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations. -- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution. -- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious. -- Restore the system from a known good backup if unauthorized changes or persistent threats are detected. -- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. -- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack. -- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index de4625a0534..ff5bed65278 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 00d3e93161d..4c89a8aff2d 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" @@ -128,43 +127,45 @@ process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.args"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\silcollector.cmd" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\silcollector.cmd" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.command_line"] -"case_insensitive" = true -"value" = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*" - - +case_insensitive = true +value = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.command_line"] -"case_insensitive" = true -"value" = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*" - +case_insensitive = true +value = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.command_line"] -"case_insensitive" = true -"value" = "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \"" - +case_insensitive = true +value = """ +cmd /C ".\\inetsrv\\iissetup.exe /keygen " +""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -173,7 +174,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 40d0ede836f..3db3ebe2ccf 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,18 +2,59 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Parent Process for cmd.exe + +Cmd.exe is a command-line interpreter on Windows systems, often used for legitimate administrative tasks. However, adversaries can exploit it by launching it from atypical parent processes to execute malicious commands stealthily. The detection rule identifies such anomalies by flagging cmd.exe instances spawned by uncommon parent processes, which may indicate unauthorized or suspicious activity, thus aiding in early threat detection. + +### Possible investigation steps + +- Review the process tree to understand the context in which cmd.exe was launched, focusing on the parent process identified in the alert. +- Investigate the parent process by examining its command-line arguments, start time, and any associated network activity to determine if it is behaving anomalously. +- Check the historical behavior of the parent process to see if it has previously spawned cmd.exe or if this is an unusual occurrence. +- Analyze any child processes spawned by the cmd.exe instance to identify potentially malicious activities or commands executed. +- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns. +- Assess the user account associated with the cmd.exe process to determine if it has been compromised or is exhibiting unusual behavior. +- Consult threat intelligence sources to see if the parent process or its behavior is associated with known malware or attack techniques. + +### False positive analysis + +- Cmd.exe instances spawned by legitimate system maintenance tools like Windows Update or system indexing services can trigger false positives. Users can create exceptions for processes like SearchIndexer.exe or WUDFHost.exe if they are verified as part of routine system operations. +- Software updates or installations that use cmd.exe for scripting purposes might be flagged. If GoogleUpdate.exe or FlashPlayerUpdateService.exe are known to be part of regular update processes, consider excluding them after confirming their legitimacy. +- Administrative scripts or tools that are scheduled to run via Task Scheduler might use cmd.exe and be flagged. If taskhostw.exe is a known parent process for these tasks, verify and exclude it to prevent unnecessary alerts. +- Certain third-party applications might use cmd.exe for legitimate background tasks. If applications like jusched.exe or jucheck.exe are identified as part of trusted software, they can be excluded after validation. +- System recovery or diagnostic tools that interact with cmd.exe could be misidentified. If WerFault.exe or wermgr.exe are part of these processes, ensure they are legitimate and exclude them accordingly. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate the suspicious cmd.exe process and its parent process to halt any ongoing malicious activity. +- Conduct a thorough review of the affected system's recent activity logs to identify any unauthorized changes or additional compromised processes. +- Restore any altered or deleted files from a known good backup to ensure system integrity. +- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for cmd.exe and its parent processes to detect similar anomalies in the future.""" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" setup = """## Setup @@ -25,7 +66,18 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -58,42 +110,6 @@ process where host.os.type == "windows" and event.type == "start" and "wlanext.exe" ) and not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Parent Process for cmd.exe - -Cmd.exe is a command-line interpreter on Windows systems, often used for legitimate administrative tasks. However, adversaries can exploit it by launching it from atypical parent processes to execute malicious commands stealthily. The detection rule identifies such anomalies by flagging cmd.exe instances spawned by uncommon parent processes, which may indicate unauthorized or suspicious activity, thus aiding in early threat detection. - -### Possible investigation steps - -- Review the process tree to understand the context in which cmd.exe was launched, focusing on the parent process identified in the alert. -- Investigate the parent process by examining its command-line arguments, start time, and any associated network activity to determine if it is behaving anomalously. -- Check the historical behavior of the parent process to see if it has previously spawned cmd.exe or if this is an unusual occurrence. -- Analyze any child processes spawned by the cmd.exe instance to identify potentially malicious activities or commands executed. -- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns. -- Assess the user account associated with the cmd.exe process to determine if it has been compromised or is exhibiting unusual behavior. -- Consult threat intelligence sources to see if the parent process or its behavior is associated with known malware or attack techniques. - -### False positive analysis - -- Cmd.exe instances spawned by legitimate system maintenance tools like Windows Update or system indexing services can trigger false positives. Users can create exceptions for processes like SearchIndexer.exe or WUDFHost.exe if they are verified as part of routine system operations. -- Software updates or installations that use cmd.exe for scripting purposes might be flagged. If GoogleUpdate.exe or FlashPlayerUpdateService.exe are known to be part of regular update processes, consider excluding them after confirming their legitimacy. -- Administrative scripts or tools that are scheduled to run via Task Scheduler might use cmd.exe and be flagged. If taskhostw.exe is a known parent process for these tasks, verify and exclude it to prevent unnecessary alerts. -- Certain third-party applications might use cmd.exe for legitimate background tasks. If applications like jusched.exe or jucheck.exe are identified as part of trusted software, they can be excluded after validation. -- System recovery or diagnostic tools that interact with cmd.exe could be misidentified. If WerFault.exe or wermgr.exe are part of these processes, ensure they are legitimate and exclude them accordingly. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. -- Terminate the suspicious cmd.exe process and its parent process to halt any ongoing malicious activity. -- Conduct a thorough review of the affected system's recent activity logs to identify any unauthorized changes or additional compromised processes. -- Restore any altered or deleted files from a known good backup to ensure system integrity. -- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for cmd.exe and its parent processes to detect similar anomalies in the future.""" [[rule.threat]] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index ba8b8c5ee03..c0273819d72 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,47 +2,24 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code." false_positives = ["Microsoft Windows installers leveraging RunDLL32 for installation."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" -risk_score = 21 -rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("cmd.exe", "powershell.exe") and - process.parent.name : "rundll32.exe" and process.parent.command_line != null and - /* common FPs can be added here */ - not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", - "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +55,34 @@ RunDLL32 is a legitimate Windows utility used to execute functions in DLLs, ofte - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for rundll32.exe and related processes to detect similar activities in the future and improve response times.""" +risk_score = 21 +rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : ("cmd.exe", "powershell.exe") and + process.parent.name : "rundll32.exe" and process.parent.command_line != null and + /* common FPs can be added here */ + not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", + "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") +''' [[rule.threat]] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 89da740cdd5..15f89225424 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,41 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" -risk_score = 21 -rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.command_line != null and - process.name: - ( - "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", - "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe", - "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe" - ) and - process.parent.name:"wmiprvse.exe" and - not ( - process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and - process.args : ("demand", "disabled") - ) and - not process.args : "tenable_mw_scan" -''' note = """## Triage and analysis > **Disclaimer**: @@ -97,6 +60,41 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if any malicious activity is confirmed and cannot be remediated through other means. - Implement additional monitoring on the affected system and network to detect any recurrence of similar suspicious activities. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems.""" +risk_score = 21 +rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.command_line != null and + process.name: + ( + "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", + "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe", + "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe" + ) and + process.parent.name:"wmiprvse.exe" and + not ( + process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and + process.args : ("demand", "disabled") + ) and + not process.args : "tenable_mw_scan" +''' [[rule.threat]] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index efa858c22c5..ba3b72eecf8 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index bcdefc39bd2..cabd7eb3834 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index b84a036135b..1724e0f677c 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,16 +2,13 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. -This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via -a malicious email. +Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may +indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email. """ from = "now-9m" index = [ @@ -28,32 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Foxmail Exploitation" -references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"] -risk_score = 73 -rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Data Source: Elastic Endgame", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +60,32 @@ Foxmail, a popular email client, can be exploited by adversaries to gain initial - Apply any available security patches or updates to Foxmail and the operating system to mitigate known vulnerabilities and prevent future exploitation. - Monitor the network and systems for any signs of lateral movement or additional compromise, using indicators of compromise (IOCs) identified during the investigation. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional actions are required based on the scope and impact of the threat.""" +references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"] +risk_score = 73 +rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*") +''' [[rule.threat]] @@ -115,3 +112,4 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 38df66142d3..5a2423c2e83 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies the execution of a child process from a Microsoft Common Console file command in an MSC file in order to trick victims into executing malicious commands. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Execution via Microsoft Common Console File" diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index fb3d4878c02..b6d8c918d59 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,55 +2,19 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful -exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler. +Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the +successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler. """ from = "now-9m" -index = [ "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "WPS Office Exploitation via DLL Hijack" -references = [ - "https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/", - "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew" - ] -risk_score = 73 -rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and -( - (event.category == "library" and - ?dll.path : - ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", - "\\Device\\Mup\\**", "\\\\*")) or - - ((event.category == "process" and event.action : "Image loaded*") and - ?file.path : - ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", - "\\Device\\Mup\\**", "\\\\*")) -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +50,40 @@ DLL hijacking exploits the way applications load dynamic link libraries (DLLs), - Apply patches or updates for WPS Office to address the vulnerabilities CVE-2024-7262 and CVE-2024-7263, ensuring that the software is up to date and less susceptible to exploitation. - Monitor for any further suspicious activity related to the ksoqing protocol or similar DLL hijacking attempts, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +references = [ + "https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/", + "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew", +] +risk_score = 73 +rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and +( + (event.category == "library" and + ?dll.path : + ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", + "\\Device\\Mup\\**", "\\\\*")) or + + ((event.category == "process" and event.action : "Image loaded*") and + ?file.path : + ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", + "\\Device\\Mup\\**", "\\\\*")) +) +''' [[rule.threat]] @@ -112,3 +110,4 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e4f0ffccc51..5d19bbcc94d 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index 533032a5737..6963b49e396 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,40 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell HackTool Script by Author" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential PowerShell HackTool Script by Author + +PowerShell is a powerful scripting language and automation framework used in Windows environments for task automation and configuration management. Adversaries exploit PowerShell's capabilities to execute malicious scripts, often leveraging well-known offensive tools without altering the original code. The detection rule identifies scripts containing specific author names linked to these tools, flagging potential misuse by recognizing unmodified author artifacts in the script block text. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify the specific author name that triggered the detection. This can provide insight into the potential tool or script being used. +- Examine the process details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed. This can help determine if the execution was part of a legitimate task or a suspicious activity. +- Check the host's recent activity logs for any other unusual or related events, such as network connections, file modifications, or other process executions, to identify potential lateral movement or data exfiltration attempts. +- Investigate the user account under which the PowerShell script was executed to determine if it has been compromised or if the activity aligns with the user's typical behavior. +- Correlate the alert with other security tools and logs, such as antivirus or endpoint detection and response (EDR) solutions, to gather additional context and confirm whether the activity is malicious. + +### False positive analysis + +- Scripts used in legitimate red team exercises may trigger the rule due to the presence of known author names. To manage this, create exceptions for scripts verified as part of authorized security assessments. +- PowerShell scripts from open-source security tools used for internal testing or training might be flagged. Ensure these tools are documented and approved, then exclude them from the rule. +- Automated scripts for system administration that include code snippets from well-known authors could be mistakenly identified. Review and whitelist these scripts if they are part of routine operations. +- Security research and development activities using sample scripts from recognized authors may cause alerts. Maintain a list of such activities and exclude them from detection to avoid unnecessary alerts. +- Internal development teams using PowerShell scripts for legitimate purposes might inadvertently use code from popular authors. Conduct regular reviews and exclude these scripts if they are deemed non-threatening. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. +- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity. +- Conduct a thorough review of the PowerShell script block text to confirm the presence of known offensive tool author names and assess the potential impact. +- Remove any unauthorized or malicious scripts from the affected system and ensure that all legitimate scripts are verified and restored from a clean backup. +- Update endpoint protection and antivirus signatures to detect and block the specific PowerShell scripts and associated indicators of compromise (IOCs) identified in the alert. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for PowerShell activity across the network to detect similar threats in the future, leveraging the MITRE ATT&CK framework for guidance on relevant techniques and tactics.""" references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] @@ -81,40 +113,6 @@ host.os.type:windows and event.category:process and "splinter_code" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential PowerShell HackTool Script by Author - -PowerShell is a powerful scripting language and automation framework used in Windows environments for task automation and configuration management. Adversaries exploit PowerShell's capabilities to execute malicious scripts, often leveraging well-known offensive tools without altering the original code. The detection rule identifies scripts containing specific author names linked to these tools, flagging potential misuse by recognizing unmodified author artifacts in the script block text. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify the specific author name that triggered the detection. This can provide insight into the potential tool or script being used. -- Examine the process details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed. This can help determine if the execution was part of a legitimate task or a suspicious activity. -- Check the host's recent activity logs for any other unusual or related events, such as network connections, file modifications, or other process executions, to identify potential lateral movement or data exfiltration attempts. -- Investigate the user account under which the PowerShell script was executed to determine if it has been compromised or if the activity aligns with the user's typical behavior. -- Correlate the alert with other security tools and logs, such as antivirus or endpoint detection and response (EDR) solutions, to gather additional context and confirm whether the activity is malicious. - -### False positive analysis - -- Scripts used in legitimate red team exercises may trigger the rule due to the presence of known author names. To manage this, create exceptions for scripts verified as part of authorized security assessments. -- PowerShell scripts from open-source security tools used for internal testing or training might be flagged. Ensure these tools are documented and approved, then exclude them from the rule. -- Automated scripts for system administration that include code snippets from well-known authors could be mistakenly identified. Review and whitelist these scripts if they are part of routine operations. -- Security research and development activities using sample scripts from recognized authors may cause alerts. Maintain a list of such activities and exclude them from detection to avoid unnecessary alerts. -- Internal development teams using PowerShell scripts for legitimate purposes might inadvertently use code from popular authors. Conduct regular reviews and exclude these scripts if they are deemed non-threatening. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. -- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity. -- Conduct a thorough review of the PowerShell script block text to confirm the presence of known offensive tool author names and assess the potential impact. -- Remove any unauthorized or malicious scripts from the affected system and ensure that all legitimate scripts are verified and restored from a clean backup. -- Update endpoint protection and antivirus signatures to detect and block the specific PowerShell scripts and associated indicators of compromise (IOCs) identified in the alert. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for PowerShell activity across the network to detect similar threats in the future, leveraging the MITRE ATT&CK framework for guidance on relevant techniques and tactics.""" [[rule.threat]] diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 92ffb5fd121..0d9b37772c3 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -109,7 +108,7 @@ Adversaries often exploit PowerShell's capabilities to execute malicious scripts """ references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", - "https://github.com/BC-SECURITY/Empire" + "https://github.com/BC-SECURITY/Empire", ] risk_score = 47 rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0" @@ -132,7 +131,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -321,13 +327,14 @@ event.category:process and host.os.type:windows and not user.id : ("S-1-5-18" or "S-1-5-19") ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index dc7e6bc386f..cb7be1a55a8 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 7e9192d29cb..3efcaabf1d0 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -136,7 +134,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -156,13 +161,14 @@ event.category:process and host.os.type:windows and not user.id : "S-1-5-18" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f047239b766..dfc2a797f34 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,15 +2,11 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] -description = """ -Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host processes Wscript.exe. -""" +description = "Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host processes Wscript.exe.\n" from = "now-9m" index = [ "logs-m365_defender.event-*", @@ -23,28 +19,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Command and Scripting Interpreter via Windows Scripts" -risk_score = 73 -rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.action == "start" and - process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and - process.parent.name : ("wscript.exe", "mshta.exe") and ?process.parent.args : "?:\\Users\\*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -79,6 +53,28 @@ PowerShell, a powerful scripting language in Windows, is often targeted by adver - Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious activity. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +risk_score = 73 +rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.action == "start" and + process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and + process.parent.name : ("wscript.exe", "mshta.exe") and ?process.parent.args : "?:\\Users\\*" +''' [[rule.threat]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 4b9ca9d1175..d9c7138dc43 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index fd36af956e9..d0f7e9bb2f1 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 342cf86e9e1..11ecc5b29e3 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,30 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" -references = [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", -] -risk_score = 47 -rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id, process.entity_id with maxspan = 5s - [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and - (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] - [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +54,30 @@ PowerShell, a powerful scripting language in Windows, can automate tasks via the - Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the attack. - Implement enhanced monitoring for similar PowerShell and scheduled task activities across the network to detect and respond to future threats promptly.""" +references = [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] +risk_score = 47 +rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id, process.entity_id with maxspan = 5s + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] +''' [[rule.threat]] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index f492ba75def..811b161897b 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,14 @@ shared modules to execute malicious payloads by instructing the Windows module l paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Execution via local SxS Shared Module" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1e94cbd2b8d..39c42b1c4ee 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,35 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" -references = [ - "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", - "https://www.elastic.co/security-labs/operation-bleeding-bear", -] -risk_score = 47 -rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and - process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") -''' note = """## Triage and analysis > **Disclaimer**: @@ -91,6 +60,35 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. - Enhance monitoring and logging for WMI activities across the network to detect similar threats in the future, ensuring that logs are retained for an adequate period for forensic purposes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/operation-bleeding-bear", +] +risk_score = 47 +rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and + process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") +''' [[rule.threat]] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index be4da0bf53a..5307e44e473 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious WMI Image Load from MS Office" -references = [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", -] -risk_score = 21 -rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and - (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and - process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and - (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +50,39 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if malicious activity has compromised system integrity or data. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for WMI activity and Microsoft Office processes to detect similar threats in the future.""" +references = [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", +] +risk_score = 21 +rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") +''' [[rule.threat]] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 20a79ff7b30..c816d82ecd2 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index ba63a982901..92c0ecf7056 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies suspicious psexec activity which is executing from the psexec service evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 7e4d4e6316e..15d381da770 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 0ce73c893f8..df930dae4f7 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi indicative of code injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Conhost Spawned By Suspicious Parent Process" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 3dbd41d9eeb..4b7a69d316b 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,15 +2,13 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use -MSC files for initial access and execution. +Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for +initial access and execution. """ from = "now-9m" index = [ @@ -27,6 +25,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Microsoft Management Console File from Unusual Path" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Microsoft Management Console File from Unusual Path + +Microsoft Management Console (MMC) is a Windows utility that provides a framework for system management. Adversaries may exploit MMC by executing .msc files from non-standard directories to bypass security controls. The detection rule identifies such anomalies by monitoring the execution of mmc.exe with .msc files from untrusted paths, flagging potential unauthorized access or execution attempts. + +### Possible investigation steps + +- Review the process execution details to confirm the path of the mmc.exe and the .msc file being executed. Check if the path is indeed non-standard or untrusted as per the query criteria. +- Investigate the origin of the .msc file by examining file creation and modification timestamps, and check for any recent changes or unusual activity in the directory where the file resides. +- Analyze the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Check for any related alerts or logs around the same timeframe that might indicate lateral movement or other malicious activities, such as unusual network connections or file access patterns. +- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender for Endpoint or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity. +- Assess the risk and impact of the execution by determining if the .msc file has any known malicious signatures or if it attempts to perform unauthorized actions on the system. + +### False positive analysis + +- Legitimate administrative tasks may trigger this rule if system administrators execute .msc files from custom directories. To manage this, create exceptions for known administrative scripts or tools that are regularly used from non-standard paths. +- Software installations or updates might involve executing .msc files from temporary or installation directories. Monitor these activities and whitelist specific installation paths if they are verified as safe and part of routine operations. +- Automated scripts or third-party management tools could execute .msc files from non-standard locations as part of their normal operation. Identify these tools and add their execution paths to the exception list to prevent unnecessary alerts. +- Development or testing environments may involve running .msc files from various directories for testing purposes. Establish a separate monitoring policy for these environments or exclude known development paths to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes related to mmc.exe executing from untrusted paths to halt potential malicious activity. +- Conduct a thorough review of the system's recent activity logs to identify any additional indicators of compromise or related suspicious activities. +- Remove any unauthorized .msc files found in non-standard directories and ensure they are not reintroduced. +- Restore the system from a known good backup if any unauthorized changes or damage is detected. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://www.elastic.co/security-labs/grimresource"] risk_score = 73 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" @@ -62,50 +94,14 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files (x86)\\*.msc" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Microsoft Management Console File from Unusual Path - -Microsoft Management Console (MMC) is a Windows utility that provides a framework for system management. Adversaries may exploit MMC by executing .msc files from non-standard directories to bypass security controls. The detection rule identifies such anomalies by monitoring the execution of mmc.exe with .msc files from untrusted paths, flagging potential unauthorized access or execution attempts. - -### Possible investigation steps - -- Review the process execution details to confirm the path of the mmc.exe and the .msc file being executed. Check if the path is indeed non-standard or untrusted as per the query criteria. -- Investigate the origin of the .msc file by examining file creation and modification timestamps, and check for any recent changes or unusual activity in the directory where the file resides. -- Analyze the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Check for any related alerts or logs around the same timeframe that might indicate lateral movement or other malicious activities, such as unusual network connections or file access patterns. -- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender for Endpoint or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity. -- Assess the risk and impact of the execution by determining if the .msc file has any known malicious signatures or if it attempts to perform unauthorized actions on the system. - -### False positive analysis - -- Legitimate administrative tasks may trigger this rule if system administrators execute .msc files from custom directories. To manage this, create exceptions for known administrative scripts or tools that are regularly used from non-standard paths. -- Software installations or updates might involve executing .msc files from temporary or installation directories. Monitor these activities and whitelist specific installation paths if they are verified as safe and part of routine operations. -- Automated scripts or third-party management tools could execute .msc files from non-standard locations as part of their normal operation. Identify these tools and add their execution paths to the exception list to prevent unnecessary alerts. -- Development or testing environments may involve running .msc files from various directories for testing purposes. Establish a separate monitoring policy for these environments or exclude known development paths to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes related to mmc.exe executing from untrusted paths to halt potential malicious activity. -- Conduct a thorough review of the system's recent activity logs to identify any additional indicators of compromise or related suspicious activities. -- Remove any unauthorized .msc files found in non-standard directories and ensure they are not reintroduced. -- Restore the system from a known good backup if any unauthorized changes or damage is detected. -- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -116,12 +112,12 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index b3c492dadc3..6e99cf8ed47 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,15 +2,13 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is -often observed during malware installation. +Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior +is often observed during malware installation. """ from = "now-9m" index = [ @@ -24,6 +22,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Windows Command Shell Arguments" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Windows Command Shell Arguments + +The Windows Command Shell (cmd.exe) is a critical component for executing commands and scripts. Adversaries exploit it to execute malicious scripts, download payloads, or manipulate system settings. The detection rule identifies unusual command-line arguments and patterns indicative of such abuse, filtering out known benign processes to minimize false positives. This helps in early detection of potential threats by monitoring for suspicious command executions. + +### Possible investigation steps + +- Review the command line arguments associated with the cmd.exe process to identify any suspicious patterns or keywords such as "curl", "regsvr32", "wscript", or "Invoke-WebRequest" that may indicate malicious activity. +- Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables. +- Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous. +- Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution. +- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings. +- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary. + +### False positive analysis + +- Processes related to Spiceworks and wmiprvse.exe can trigger false positives. Exclude these by adding exceptions for process arguments containing "%TEMP%\\\\Spiceworks\\\\*" when the parent process is wmiprvse.exe. +- Development tools like Perl, Node.js, and NetBeans may cause false alerts. Exclude these by specifying their executable paths in the exception list. +- Citrix Secure Access Client initiated by userinit.exe can be a false positive. Exclude this by adding an exception for process arguments containing "?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe" with the parent process name as userinit.exe. +- Scheduled tasks or services like PCPitstopScheduleService.exe may trigger alerts. Exclude these by adding their paths to the exception list. +- Command-line operations involving npm or Maven commands can be benign. Exclude these by specifying command-line patterns like "\\"cmd\\" /c %NETBEANS_MAVEN_COMMAND_LINE%" in the exception list. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malware or unauthorized access. +- Terminate any suspicious cmd.exe processes identified by the detection rule to halt malicious activity. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. +- Review and restore any altered system settings or configurations to their original state to ensure system integrity. +- Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. +- Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.""" risk_score = 73 rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf" severity = "high" @@ -105,41 +138,6 @@ process where host.os.type == "windows" and event.type == "start" and not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Windows Command Shell Arguments - -The Windows Command Shell (cmd.exe) is a critical component for executing commands and scripts. Adversaries exploit it to execute malicious scripts, download payloads, or manipulate system settings. The detection rule identifies unusual command-line arguments and patterns indicative of such abuse, filtering out known benign processes to minimize false positives. This helps in early detection of potential threats by monitoring for suspicious command executions. - -### Possible investigation steps - -- Review the command line arguments associated with the cmd.exe process to identify any suspicious patterns or keywords such as "curl", "regsvr32", "wscript", or "Invoke-WebRequest" that may indicate malicious activity. -- Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables. -- Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous. -- Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution. -- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings. -- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary. - -### False positive analysis - -- Processes related to Spiceworks and wmiprvse.exe can trigger false positives. Exclude these by adding exceptions for process arguments containing "%TEMP%\\\\Spiceworks\\\\*" when the parent process is wmiprvse.exe. -- Development tools like Perl, Node.js, and NetBeans may cause false alerts. Exclude these by specifying their executable paths in the exception list. -- Citrix Secure Access Client initiated by userinit.exe can be a false positive. Exclude this by adding an exception for process arguments containing "?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe" with the parent process name as userinit.exe. -- Scheduled tasks or services like PCPitstopScheduleService.exe may trigger alerts. Exclude these by adding their paths to the exception list. -- Command-line operations involving npm or Maven commands can be benign. Exclude these by specifying command-line patterns like "\\"cmd\\" /c %NETBEANS_MAVEN_COMMAND_LINE%" in the exception list. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malware or unauthorized access. -- Terminate any suspicious cmd.exe processes identified by the detection rule to halt malicious activity. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. -- Review and restore any altered system settings or configurations to their original state to ensure system integrity. -- Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. -- Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.""" [[rule.threat]] @@ -159,3 +157,4 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 243c923f96d..0cefae3c36a 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,6 +23,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Windows Powershell Arguments" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Windows Powershell Arguments + +PowerShell is a powerful scripting language and command-line shell used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's capabilities to execute malicious scripts, download payloads, and obfuscate commands. The detection rule identifies unusual PowerShell arguments indicative of such abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques, thereby flagging potential threats for further investigation. + +### Possible investigation steps + +- Review the process command line and arguments to identify any encoded or obfuscated content, such as Base64 strings or unusual character sequences, which may indicate malicious intent. +- Check the parent process of the PowerShell execution, especially if it is explorer.exe or cmd.exe, to determine if the PowerShell instance was launched from a suspicious or unexpected source. +- Investigate any network activity associated with the PowerShell process, particularly looking for connections to known malicious domains or IP addresses, or the use of suspicious commands like DownloadFile or DownloadString. +- Examine the user account associated with the PowerShell execution to determine if it aligns with expected behavior or if it might be compromised. +- Correlate the event with other security alerts or logs from the same host or user to identify patterns or additional indicators of compromise. +- Assess the risk and impact of the detected activity by considering the context of the environment, such as the presence of sensitive data or critical systems that might be affected. + +### False positive analysis + +- Legitimate administrative scripts may use encoded commands for obfuscation to protect sensitive data. Review the script's source and purpose to determine if it is authorized. If confirmed, add the script's hash or specific command pattern to an allowlist. +- Automated software deployment tools might use PowerShell to download and execute scripts from trusted internal sources. Verify the source and destination of the download. If legitimate, exclude the specific tool or process from the detection rule. +- System maintenance tasks often involve PowerShell scripts that manipulate files or system settings. Identify routine maintenance scripts and exclude their specific command patterns or file paths from triggering the rule. +- Security software may use PowerShell for scanning or remediation tasks, which can mimic suspicious behavior. Confirm the software's legitimacy and add its processes to an exception list to prevent false alerts. +- Developers might use PowerShell for testing or development purposes, which can include obfuscation techniques. Validate the developer's activities and exclude their specific development environments or scripts from the rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or scripts. +- Review and clean up any unauthorized changes to system configurations or scheduled tasks that may have been altered by the malicious PowerShell activity. +- Restore any affected files or system components from known good backups to ensure system integrity and functionality. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. +- Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future.""" risk_score = 73 rule_id = "83bf249e-4348-47ba-9741-1202a09556ad" severity = "high" @@ -107,41 +140,6 @@ process where host.os.type == "windows" and event.type == "start" and process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Windows Powershell Arguments - -PowerShell is a powerful scripting language and command-line shell used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's capabilities to execute malicious scripts, download payloads, and obfuscate commands. The detection rule identifies unusual PowerShell arguments indicative of such abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques, thereby flagging potential threats for further investigation. - -### Possible investigation steps - -- Review the process command line and arguments to identify any encoded or obfuscated content, such as Base64 strings or unusual character sequences, which may indicate malicious intent. -- Check the parent process of the PowerShell execution, especially if it is explorer.exe or cmd.exe, to determine if the PowerShell instance was launched from a suspicious or unexpected source. -- Investigate any network activity associated with the PowerShell process, particularly looking for connections to known malicious domains or IP addresses, or the use of suspicious commands like DownloadFile or DownloadString. -- Examine the user account associated with the PowerShell execution to determine if it aligns with expected behavior or if it might be compromised. -- Correlate the event with other security alerts or logs from the same host or user to identify patterns or additional indicators of compromise. -- Assess the risk and impact of the detected activity by considering the context of the environment, such as the presence of sensitive data or critical systems that might be affected. - -### False positive analysis - -- Legitimate administrative scripts may use encoded commands for obfuscation to protect sensitive data. Review the script's source and purpose to determine if it is authorized. If confirmed, add the script's hash or specific command pattern to an allowlist. -- Automated software deployment tools might use PowerShell to download and execute scripts from trusted internal sources. Verify the source and destination of the download. If legitimate, exclude the specific tool or process from the detection rule. -- System maintenance tasks often involve PowerShell scripts that manipulate files or system settings. Identify routine maintenance scripts and exclude their specific command patterns or file paths from triggering the rule. -- Security software may use PowerShell for scanning or remediation tasks, which can mimic suspicious behavior. Confirm the software's legitimacy and add its processes to an exception list to prevent false alerts. -- Developers might use PowerShell for testing or development purposes, which can include obfuscation techniques. Validate the developer's activities and exclude their specific development environments or scripts from the rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or scripts. -- Review and clean up any unauthorized changes to system configurations or scheduled tasks that may have been altered by the malicious PowerShell activity. -- Restore any affected files or system components from known good backups to ensure system integrity and functionality. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. -- Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future.""" [[rule.threat]] @@ -161,3 +159,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 68dd5e0a326..1e007cf4c87 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,9 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -24,6 +22,41 @@ index = [ language = "kuery" license = "Elastic License v2" name = "Rare SMB Connection to the Internet" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Rare SMB Connection to the Internet + +Server Message Block (SMB) is a protocol used for sharing files and printers within a network. Adversaries exploit SMB to exfiltrate data by injecting rogue paths to capture NTLM credentials. The detection rule identifies unusual SMB traffic from internal IPs to external networks, flagging potential exfiltration attempts by monitoring specific ports and excluding known safe IP ranges. + +### Possible investigation steps + +- Review the alert details to identify the internal source IP address involved in the SMB connection and verify if it belongs to a known or authorized device within the organization. +- Check the destination IP address to determine if it is associated with any known malicious activity or if it belongs to an external network that should not be receiving SMB traffic from internal systems. +- Investigate the process with PID 4 on the source host, which typically corresponds to the Windows System process, to identify any unusual activity or recent changes that could indicate compromise or misuse. +- Analyze network logs to trace the SMB traffic flow and identify any patterns or additional connections that may suggest data exfiltration attempts. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and determine if this is part of a larger attack campaign. +- Consult with the IT or network team to verify if there are any legitimate business reasons for the detected SMB traffic to the external network, and if not, consider blocking the connection and conducting a deeper investigation into the source host. + +### False positive analysis + +- Internal network scanning tools may trigger alerts if they simulate SMB traffic to external IPs. Exclude IPs associated with these tools from the rule to prevent false positives. +- Legitimate business applications that require SMB connections to external cloud services might be flagged. Identify and whitelist these specific external IPs or domains to avoid unnecessary alerts. +- Backup solutions that use SMB for data transfer to offsite locations can be mistaken for exfiltration attempts. Ensure these backup service IPs are added to the exception list. +- Misconfigured network devices that inadvertently route SMB traffic externally could cause false alerts. Regularly audit and correct device configurations to minimize these occurrences. +- Security testing or penetration testing activities might generate SMB traffic to external IPs. Coordinate with security teams to temporarily disable the rule or add exceptions during testing periods. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement. +- Conduct a thorough review of the host's network connections and processes to identify any unauthorized SMB traffic or suspicious activities. +- Reset credentials for any accounts that may have been exposed or compromised, focusing on those with elevated privileges. +- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known SMB vulnerabilities. +- Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure. +- Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"] risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" @@ -80,41 +113,6 @@ event.category:network and host.os.type:windows and process.pid:4 and "FF00::/8" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Rare SMB Connection to the Internet - -Server Message Block (SMB) is a protocol used for sharing files and printers within a network. Adversaries exploit SMB to exfiltrate data by injecting rogue paths to capture NTLM credentials. The detection rule identifies unusual SMB traffic from internal IPs to external networks, flagging potential exfiltration attempts by monitoring specific ports and excluding known safe IP ranges. - -### Possible investigation steps - -- Review the alert details to identify the internal source IP address involved in the SMB connection and verify if it belongs to a known or authorized device within the organization. -- Check the destination IP address to determine if it is associated with any known malicious activity or if it belongs to an external network that should not be receiving SMB traffic from internal systems. -- Investigate the process with PID 4 on the source host, which typically corresponds to the Windows System process, to identify any unusual activity or recent changes that could indicate compromise or misuse. -- Analyze network logs to trace the SMB traffic flow and identify any patterns or additional connections that may suggest data exfiltration attempts. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and determine if this is part of a larger attack campaign. -- Consult with the IT or network team to verify if there are any legitimate business reasons for the detected SMB traffic to the external network, and if not, consider blocking the connection and conducting a deeper investigation into the source host. - -### False positive analysis - -- Internal network scanning tools may trigger alerts if they simulate SMB traffic to external IPs. Exclude IPs associated with these tools from the rule to prevent false positives. -- Legitimate business applications that require SMB connections to external cloud services might be flagged. Identify and whitelist these specific external IPs or domains to avoid unnecessary alerts. -- Backup solutions that use SMB for data transfer to offsite locations can be mistaken for exfiltration attempts. Ensure these backup service IPs are added to the exception list. -- Misconfigured network devices that inadvertently route SMB traffic externally could cause false alerts. Regularly audit and correct device configurations to minimize these occurrences. -- Security testing or penetration testing activities might generate SMB traffic to external IPs. Coordinate with security teams to temporarily disable the rule or add exceptions during testing periods. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement. -- Conduct a thorough review of the host's network connections and processes to identify any unauthorized SMB traffic or suspicious activities. -- Reset credentials for any accounts that may have been exposed or compromised, focusing on those with elevated privileges. -- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known SMB vulnerabilities. -- Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure. -- Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 1e0c2a2c735..a1f0d3d8726 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index ef7a9c714fb..a676aad0563 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index f7f1fab038e..78cbf5a0c61 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index ca19fcf0a17..14850280d25 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index e0b021c713f..690a472b1d4 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/12/03" integration = ["endpoint", "windows", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 9e46ab442d5..f6f73d4389c 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 7128d3f9782..073eef3b42a 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 69440e7f126..3298b577ca8 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index c0d363686dd..32b832e9323 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,41 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Execution from INET Cache" -references = [ - "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", -] -risk_score = 73 -rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and - ( - process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or - process.executable : ( - "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*", - "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" - ) - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -97,6 +60,41 @@ The INetCache folder stores temporary internet files, which can be exploited by - Review and analyze recent email logs and web browsing history to identify potential phishing attempts or malicious downloads that may have led to the initial compromise. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the INetCache directory and related processes to detect similar threats in the future.""" +references = [ + "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", +] +risk_score = 73 +rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and + ( + process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or + process.executable : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*", + "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" + ) + ) +''' [[rule.threat]] diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 153315f0ba3..ce76d88f67f 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,51 @@ Identifies execution of common Microsoft Office applications to launch an Office an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Microsoft Office Add-Ins" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Execution via Microsoft Office Add-Ins + +Microsoft Office Add-Ins enhance productivity by integrating additional features into Office applications. However, adversaries can exploit this by embedding malicious code within add-ins, often delivered through phishing. The detection rule identifies unusual execution patterns, such as Office apps launching add-ins from suspicious paths or with atypical parent processes, signaling potential threats. It filters out known benign activities to minimize false positives, focusing on genuine anomalies indicative of malicious intent. + +### Possible investigation steps + +- Review the process name and arguments to confirm if the execution involves a Microsoft Office application launching an add-in from a suspicious path, as indicated by the process.name and process.args fields. +- Check the parent process name to determine if the Office application was launched by an unusual or potentially malicious parent process, such as cmd.exe or powershell.exe, using the process.parent.name field. +- Investigate the file path from which the add-in was executed to assess if it matches any of the suspicious paths listed in the query, such as the Temp or Downloads directories, using the process.args field. +- Examine the host's recent activity logs to identify any related events or patterns that might indicate a broader attack or compromise, focusing on the host.os.type and event.type fields. +- Correlate the alert with any recent phishing attempts or suspicious emails received by the user to determine if the execution is part of a phishing campaign, leveraging the MITRE ATT&CK tactic and technique information provided. +- Verify if the execution is a false positive by checking against the known benign activities excluded in the query, such as specific VSTOInstaller.exe paths or arguments, to rule out legitimate software installations or updates. + +### False positive analysis + +- Logitech software installations can trigger false positives when VSTO files are executed by Logitech's PlugInInstallerUtility. To mitigate this, exclude processes with paths related to Logitech installations from the detection rule. +- The VSTOInstaller.exe process may be flagged when uninstalling applications. Exclude processes with the /Uninstall argument to prevent these false positives. +- Rundll32.exe executing with specific arguments related to MSI temporary files can be benign. Exclude these specific rundll32.exe executions to avoid false alerts. +- Sidekick.vsto installations from the specified URL can be legitimate. Exclude this specific VSTOInstaller.exe process with the Sidekick.vsto argument to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. +- Terminate any suspicious processes identified by the detection rule, such as those involving unusual parent processes or originating from suspicious paths. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious add-ins or related malware. +- Review and clean up any unauthorized or suspicious Office add-ins from the affected applications to ensure no malicious code remains. +- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.""" references = [ "https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/", @@ -82,40 +121,6 @@ process where process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Execution via Microsoft Office Add-Ins - -Microsoft Office Add-Ins enhance productivity by integrating additional features into Office applications. However, adversaries can exploit this by embedding malicious code within add-ins, often delivered through phishing. The detection rule identifies unusual execution patterns, such as Office apps launching add-ins from suspicious paths or with atypical parent processes, signaling potential threats. It filters out known benign activities to minimize false positives, focusing on genuine anomalies indicative of malicious intent. - -### Possible investigation steps - -- Review the process name and arguments to confirm if the execution involves a Microsoft Office application launching an add-in from a suspicious path, as indicated by the process.name and process.args fields. -- Check the parent process name to determine if the Office application was launched by an unusual or potentially malicious parent process, such as cmd.exe or powershell.exe, using the process.parent.name field. -- Investigate the file path from which the add-in was executed to assess if it matches any of the suspicious paths listed in the query, such as the Temp or Downloads directories, using the process.args field. -- Examine the host's recent activity logs to identify any related events or patterns that might indicate a broader attack or compromise, focusing on the host.os.type and event.type fields. -- Correlate the alert with any recent phishing attempts or suspicious emails received by the user to determine if the execution is part of a phishing campaign, leveraging the MITRE ATT&CK tactic and technique information provided. -- Verify if the execution is a false positive by checking against the known benign activities excluded in the query, such as specific VSTOInstaller.exe paths or arguments, to rule out legitimate software installations or updates. - -### False positive analysis - -- Logitech software installations can trigger false positives when VSTO files are executed by Logitech's PlugInInstallerUtility. To mitigate this, exclude processes with paths related to Logitech installations from the detection rule. -- The VSTOInstaller.exe process may be flagged when uninstalling applications. Exclude processes with the /Uninstall argument to prevent these false positives. -- Rundll32.exe executing with specific arguments related to MSI temporary files can be benign. Exclude these specific rundll32.exe executions to avoid false alerts. -- Sidekick.vsto installations from the specified URL can be legitimate. Exclude this specific VSTOInstaller.exe process with the Sidekick.vsto argument to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. -- Terminate any suspicious processes identified by the detection rule, such as those involving unusual parent processes or originating from suspicious paths. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious add-ins or related malware. -- Review and clean up any unauthorized or suspicious Office add-ins from the affected applications to ensure no malicious code remains. -- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.""" [[rule.threat]] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index e1355901be6..c85bc4e1719 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2023/03/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -24,32 +22,6 @@ index = [ language = "kuery" license = "Elastic License v2" name = "First Time Seen Removable Device" -references = [ - "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", - "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", -] -risk_score = 21 -rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR* -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +56,32 @@ Removable devices, like USB drives, are common in Windows environments for data - Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats. - Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated. - Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections.""" +references = [ + "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", +] +risk_score = 21 +rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR* +''' [[rule.threat]] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index e5635dbfb0b..61e732cb424 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -32,6 +30,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious JetBrains TeamCity Child Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious JetBrains TeamCity Child Process + +JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations. + +### Possible investigation steps + +- Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\\TeamCity\\jre\\bin\\java.exe". +- Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed. +- Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior. +- Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise. +- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise. +- Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server. + +### False positive analysis + +- Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths. +- Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows. +- System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions. +- Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected. +- Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures. + +### Response and remediation + +- Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities. +- Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities. +- Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities. +- Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain. +- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule. +- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.""" references = [ "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html", ] @@ -73,41 +106,6 @@ process where host.os.type == "windows" and event.type == "start" and not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious JetBrains TeamCity Child Process - -JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations. - -### Possible investigation steps - -- Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\\TeamCity\\jre\\bin\\java.exe". -- Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed. -- Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior. -- Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise. -- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise. -- Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server. - -### False positive analysis - -- Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths. -- Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows. -- System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions. -- Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected. -- Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures. - -### Response and remediation - -- Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities. -- Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities. -- Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities. -- Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain. -- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule. -- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.""" [[rule.threat]] diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f0bf748ded6..a3c9158255d 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,14 +2,13 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access. +Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial +access. """ from = "now-9m" index = [ @@ -25,41 +24,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Remote Desktop File Opened from Suspicious Path" -references = [ - "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", - "https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/", -] -risk_score = 47 -rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : "mstsc.exe" and - process.args : ("?:\\Users\\*\\Downloads\\*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp", - "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp") -''' note = """## Triage and analysis > **Disclaimer**: @@ -95,6 +59,41 @@ Remote Desktop Protocol (RDP) allows users to connect to and control a computer - Reset credentials for any accounts that were used to open the suspicious RDP files, ensuring that new passwords are strong and unique. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more effectively in the future.""" +references = [ + "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/", +] +risk_score = 47 +rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "mstsc.exe" and + process.args : ("?:\\Users\\*\\Downloads\\*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp", + "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp") +''' [[rule.threat]] @@ -114,3 +113,4 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 58ba10b2d4f..7ec8d133027 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. O executing a PowerShell script, may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Windows Script Executing PowerShell" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 9676c40e1b9..6846a4ea7e0 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,6 +21,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Windows Script Interpreter Executing Process via WMI + +Windows Management Instrumentation (WMI) is a powerful Windows feature that allows for system management and automation. Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters like cscript.exe or wscript.exe. The detection rule identifies suspicious activity by monitoring for these interpreters executing processes via WMI, especially when initiated by non-system accounts, indicating potential malicious intent. + +### Possible investigation steps + +- Review the alert details to identify the specific script interpreter (cscript.exe or wscript.exe) and the process it executed. Check the process name and executable path for any anomalies or known malicious indicators. +- Examine the user account associated with the process execution. Verify if the user domain is not "NT AUTHORITY" and assess whether the account is expected to perform such actions. Investigate any unusual or unauthorized account activity. +- Investigate the parent process wmiprvse.exe to determine how it was initiated. Look for any preceding suspicious activities or processes that might have triggered the WMI execution. +- Check the system for any additional indicators of compromise, such as unexpected network connections, changes in system configurations, or other alerts related to the same host or user. +- Correlate the event with other security logs and alerts to identify any patterns or related incidents that might indicate a broader attack campaign or persistent threat. + +### False positive analysis + +- Legitimate administrative scripts or automation tasks may trigger this rule if they use cscript.exe or wscript.exe via WMI. To handle this, identify and document these scripts, then create exceptions for their specific execution paths or user accounts. +- Software installations or updates that utilize script interpreters through WMI can be mistaken for malicious activity. Monitor and whitelist known installation processes or update mechanisms that are frequently used in your environment. +- Custom applications or internal tools that rely on WMI for process execution might be flagged. Review these applications and exclude their specific process names or executable paths from the rule. +- Scheduled tasks or system maintenance scripts executed by non-system accounts could generate alerts. Verify these tasks and exclude them by specifying the user accounts or domains that are authorized to perform such actions. +- Security tools or monitoring solutions that leverage WMI for legitimate purposes may also be detected. Identify these tools and add them to the exception list based on their process names or executable locations. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified in the alert, such as cscript.exe or wscript.exe, that are running under non-system accounts. +- Conduct a thorough review of the affected host's scheduled tasks, startup items, and services to identify and remove any persistence mechanisms. +- Analyze the parent process wmiprvse.exe and its command-line arguments to understand the scope of the attack and identify any additional compromised systems. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign. +- Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches. +- Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.""" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" @@ -70,40 +102,6 @@ sequence by host.id with maxspan = 5s ) ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Windows Script Interpreter Executing Process via WMI - -Windows Management Instrumentation (WMI) is a powerful Windows feature that allows for system management and automation. Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters like cscript.exe or wscript.exe. The detection rule identifies suspicious activity by monitoring for these interpreters executing processes via WMI, especially when initiated by non-system accounts, indicating potential malicious intent. - -### Possible investigation steps - -- Review the alert details to identify the specific script interpreter (cscript.exe or wscript.exe) and the process it executed. Check the process name and executable path for any anomalies or known malicious indicators. -- Examine the user account associated with the process execution. Verify if the user domain is not "NT AUTHORITY" and assess whether the account is expected to perform such actions. Investigate any unusual or unauthorized account activity. -- Investigate the parent process wmiprvse.exe to determine how it was initiated. Look for any preceding suspicious activities or processes that might have triggered the WMI execution. -- Check the system for any additional indicators of compromise, such as unexpected network connections, changes in system configurations, or other alerts related to the same host or user. -- Correlate the event with other security logs and alerts to identify any patterns or related incidents that might indicate a broader attack campaign or persistent threat. - -### False positive analysis - -- Legitimate administrative scripts or automation tasks may trigger this rule if they use cscript.exe or wscript.exe via WMI. To handle this, identify and document these scripts, then create exceptions for their specific execution paths or user accounts. -- Software installations or updates that utilize script interpreters through WMI can be mistaken for malicious activity. Monitor and whitelist known installation processes or update mechanisms that are frequently used in your environment. -- Custom applications or internal tools that rely on WMI for process execution might be flagged. Review these applications and exclude their specific process names or executable paths from the rule. -- Scheduled tasks or system maintenance scripts executed by non-system accounts could generate alerts. Verify these tasks and exclude them by specifying the user accounts or domains that are authorized to perform such actions. -- Security tools or monitoring solutions that leverage WMI for legitimate purposes may also be detected. Identify these tools and add them to the exception list based on their process names or executable locations. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes identified in the alert, such as cscript.exe or wscript.exe, that are running under non-system accounts. -- Conduct a thorough review of the affected host's scheduled tasks, startup items, and services to identify and remove any persistence mechanisms. -- Analyze the parent process wmiprvse.exe and its command-line arguments to understand the scope of the attack and identify any additional compromised systems. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign. -- Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches. -- Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 07be27f4b51..519fd905a68 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] @@ -24,7 +22,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Writing Suspicious Files" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 2ab66ef3731..170538686b2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] @@ -33,6 +31,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Microsoft Exchange Server UM Spawning Suspicious Processes + +Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging with email, allowing users to access voicemails via their inbox. Adversaries exploit vulnerabilities like CVE-2021-26857 to execute unauthorized processes, potentially leading to system compromise. The detection rule identifies unusual processes initiated by UM services, excluding known legitimate executables, to flag potential exploitation attempts. + +### Possible investigation steps + +- Review the alert details to confirm the process parent name is either "UMService.exe" or "UMWorkerProcess.exe" and verify the process executable path is not among the known legitimate paths listed in the exclusion criteria. +- Gather additional context by checking the process command line arguments and the user account under which the suspicious process was executed to identify any anomalies or unauthorized access. +- Investigate the historical activity of the host by reviewing recent logs for any other unusual or unauthorized processes, especially those related to the Microsoft Exchange Server. +- Check for any recent patches or updates applied to the Microsoft Exchange Server to ensure that vulnerabilities like CVE-2021-26857 have been addressed. +- Correlate the alert with other security tools and data sources such as Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or indicators of compromise. +- Assess the network activity from the host to detect any potential lateral movement or data exfiltration attempts that might be associated with the suspicious process. + +### False positive analysis + +- Legitimate UM service updates or patches may trigger the rule. Regularly update the list of known legitimate executables to include new or updated UM service files. +- Custom scripts or monitoring tools that interact with UM services might be flagged. Identify these scripts and add their executables to the exclusion list if they are verified as safe. +- Non-standard installation paths for Exchange Server can cause false positives. Ensure that all legitimate installation paths are included in the exclusion list to prevent unnecessary alerts. +- Administrative tasks performed by IT staff using command-line tools may be misidentified. Document these tasks and consider excluding the associated executables if they are part of routine maintenance. +- Third-party integrations with Exchange Server that spawn processes could be flagged. Verify these integrations and exclude their executables if they are deemed secure and necessary for business operations. + +### Response and remediation + +- Isolate the affected Microsoft Exchange Server from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified as being spawned by the UM service that are not part of the known legitimate executables list. +- Apply the latest security patches and updates to the Microsoft Exchange Server to address CVE-2021-26857 and any other known vulnerabilities. +- Conduct a thorough review of the server's security logs and network traffic to identify any additional indicators of compromise or unauthorized access attempts. +- Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise. +- Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline. +- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" references = [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", @@ -83,41 +116,6 @@ process where host.os.type == "windows" and event.type == "start" and "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Microsoft Exchange Server UM Spawning Suspicious Processes - -Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging with email, allowing users to access voicemails via their inbox. Adversaries exploit vulnerabilities like CVE-2021-26857 to execute unauthorized processes, potentially leading to system compromise. The detection rule identifies unusual processes initiated by UM services, excluding known legitimate executables, to flag potential exploitation attempts. - -### Possible investigation steps - -- Review the alert details to confirm the process parent name is either "UMService.exe" or "UMWorkerProcess.exe" and verify the process executable path is not among the known legitimate paths listed in the exclusion criteria. -- Gather additional context by checking the process command line arguments and the user account under which the suspicious process was executed to identify any anomalies or unauthorized access. -- Investigate the historical activity of the host by reviewing recent logs for any other unusual or unauthorized processes, especially those related to the Microsoft Exchange Server. -- Check for any recent patches or updates applied to the Microsoft Exchange Server to ensure that vulnerabilities like CVE-2021-26857 have been addressed. -- Correlate the alert with other security tools and data sources such as Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or indicators of compromise. -- Assess the network activity from the host to detect any potential lateral movement or data exfiltration attempts that might be associated with the suspicious process. - -### False positive analysis - -- Legitimate UM service updates or patches may trigger the rule. Regularly update the list of known legitimate executables to include new or updated UM service files. -- Custom scripts or monitoring tools that interact with UM services might be flagged. Identify these scripts and add their executables to the exclusion list if they are verified as safe. -- Non-standard installation paths for Exchange Server can cause false positives. Ensure that all legitimate installation paths are included in the exclusion list to prevent unnecessary alerts. -- Administrative tasks performed by IT staff using command-line tools may be misidentified. Document these tasks and consider excluding the associated executables if they are part of routine maintenance. -- Third-party integrations with Exchange Server that spawn processes could be flagged. Verify these integrations and exclude their executables if they are deemed secure and necessary for business operations. - -### Response and remediation - -- Isolate the affected Microsoft Exchange Server from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified as being spawned by the UM service that are not part of the known legitimate executables list. -- Apply the latest security patches and updates to the Microsoft Exchange Server to address CVE-2021-26857 and any other known vulnerabilities. -- Conduct a thorough review of the server's security logs and network traffic to identify any additional indicators of compromise or unauthorized access attempts. -- Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise. -- Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline. -- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 8ed1234cc95..e28f18a8063 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,40 +11,17 @@ Identifies suspicious processes being spawned by the Microsoft Exchange Server w indicate exploitation activity or access to an existing web shell backdoor. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Worker Spawning Suspicious Processes" -references = [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", -] -risk_score = 73 -rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and - (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +58,36 @@ Microsoft Exchange Server uses the worker process (w3wp.exe) to handle web reque - Apply the latest security patches and updates to the Microsoft Exchange Server to mitigate known vulnerabilities and prevent exploitation. - Monitor network traffic and server logs for any signs of continued or attempted exploitation, focusing on unusual outbound connections or repeated access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +references = [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", +] +risk_score = 73 +rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) +''' [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 98c8386fb66..74d8fad8028 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index d55d70ce628..c0828b44e66 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -127,7 +125,6 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -150,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -159,7 +155,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index c92b3bf2588..7a7e8c67522 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,45 +11,17 @@ Identifies a suspicious Windows explorer child process. Explorer.exe can be abus executables from a trusted parent process. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Explorer Child Process" -risk_score = 47 -rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ( - process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or - ?process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") - ) and - /* Explorer started via DCOM */ - process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and - not process.parent.args: - ( - /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */ - "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}", - "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +57,41 @@ Windows Explorer, a core component of the Windows OS, manages file and folder na - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence. - Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from explorer.exe, especially when initiated via DCOM.""" +risk_score = 47 +rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ( + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or + ?process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") + ) and + /* Explorer started via DCOM */ + process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and + not process.parent.args: + ( + /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */ + "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}", + "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}" + ) +''' [[rule.threat]] diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index c3bce1a876a..0c62157581f 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,34 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "ScreenConnect Server Spawning Suspicious Processes" -references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"] -risk_score = 73 -rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "ScreenConnect.Service.exe" and - (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +60,34 @@ ScreenConnect, a remote support tool, allows administrators to control systems r - Apply security patches and updates to the ScreenConnect server and any other vulnerable applications to mitigate exploitation risks. - Restore the system from a known good backup if evidence of compromise is confirmed, ensuring that the backup is free from malicious artifacts. - Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and evidence for further investigation.""" +references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"] +risk_score = 73 +rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "ScreenConnect.Service.exe" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or + ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 2416c2c8949..1e5bd39b62b 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,20 +16,6 @@ index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Potential Pass-the-Hash (PtH) Attempt" -references = ["https://attack.mitre.org/techniques/T1550/002/"] -risk_score = 47 -rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -host.os.type:"windows" and -event.category : "authentication" and event.action : "logged-in" and -winlog.logon.type : "NewCredentials" and event.outcome : "success" and -user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo" -''' note = """## Triage and analysis > **Disclaimer**: @@ -67,6 +51,27 @@ Pass-the-Hash (PtH) is a technique where attackers use stolen password hashes to - Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activity or attempts to use stolen hashes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Implement additional logging and monitoring for the "seclogo" logon process to enhance detection of future pass-the-hash attempts.""" +references = ["https://attack.mitre.org/techniques/T1550/002/"] +risk_score = 47 +rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:"windows" and +event.category : "authentication" and event.action : "logged-in" and +winlog.logon.type : "NewCredentials" and event.outcome : "success" and +user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 4ad06eacfbe..3e17c1558a3 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,28 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" -risk_score = 21 -rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan = 1m - [process where host.os.type == "windows" and event.type == "start" and - (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and - process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and - process.args : ("create", "config", "failure", "start")] - [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +54,28 @@ The Service Control Manager in Windows allows for the management of services, wh - Restore the affected system from a known good backup if any malicious modifications or persistent threats are detected. - Implement network segmentation to limit the ability of adversaries to move laterally across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +risk_score = 21 +rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan = 1m + [process where host.os.type == "windows" and event.type == "start" and + (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and + process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and + process.args : ("create", "config", "failure", "start")] + [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"] +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index b9061b5cb2c..4f7be9dafd2 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,31 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" -references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] -risk_score = 73 -rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and - process.name : "mshta.exe" and process.args : "-Embedding" - ] by host.id, process.entity_id - [network where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" - ] by host.id, process.entity_id -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,31 @@ DCOM allows software components to communicate over a network, enabling remote e - Review and restrict DCOM permissions and configurations on the affected host and other critical systems to limit the potential for similar attacks. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems have been compromised. - Update detection mechanisms and threat intelligence feeds to enhance monitoring for similar DCOM-based lateral movement attempts in the future.""" +references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] +risk_score = 73 +rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence with maxspan=1m + [process where host.os.type == "windows" and event.type == "start" and + process.name : "mshta.exe" and process.args : "-Embedding" + ] by host.id, process.entity_id + [network where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by host.id, process.entity_id +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index d52089db2a5..edec6ac25c0 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,31 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" -references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"] -risk_score = 73 -rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan=1m - [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and - destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" - ] by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe" - ] by process.parent.entity_id -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +55,31 @@ Distributed Component Object Model (DCOM) enables software components to communi - Apply patches and updates to the affected systems and any other vulnerable systems in the network to mitigate known vulnerabilities that could be exploited. - Implement network segmentation to limit the ability of threats to move laterally within the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional actions are necessary.""" +references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"] +risk_score = 73 +rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan=1m + [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and + destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" + ] by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe" + ] by process.parent.entity_id +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b810f2ddc96..99d6bbb8067 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,31 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" -references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"] -risk_score = 47 -rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan=5s - [network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" - ] by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "explorer.exe" - ] by process.parent.entity_id -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,31 @@ DCOM enables software components to communicate over a network, often used in Wi - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited during the attack. - Enhance monitoring and logging on the network to detect similar DCOM abuse attempts, ensuring that alerts are configured for high TCP port activity and unusual process spawning by explorer.exe. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment or remediation actions are necessary.""" +references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"] +risk_score = 47 +rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan=5s + [network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "explorer.exe" + ] by process.parent.entity_id +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 0b12322e3fe..815a43f51b1 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,42 +11,17 @@ Identifies NullSessionPipe registry modifications that specify which pipes can b indicative of adversary lateral movement preparation by making the added pipe available to everyone. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "NullSessionPipe Registry Modification" -references = [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares", -] -risk_score = 47 -rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and -registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", - "MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" -) and length(registry.data.strings) > 0 and -not registry.data.strings : "(empty)" -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,38 @@ The NullSessionPipe registry setting in Windows defines which named pipes can be - Reset credentials for any accounts that may have been compromised or used in conjunction with the unauthorized access to ensure they cannot be reused by adversaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and alerting for changes to the NullSessionPipes registry key and similar registry paths to detect and respond to future unauthorized modifications promptly.""" +references = [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares", +] +risk_score = 47 +rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and +registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", + "MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" +) and length(registry.data.strings) > 0 and +not registry.data.strings : "(empty)" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 5fc5de9d829..652d28d1fde 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,6 +24,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Remote Desktop Shadowing Activity + +Remote Desktop Shadowing allows administrators to view or control active RDP sessions, aiding in support and troubleshooting. However, adversaries can exploit this feature to monitor or hijack user sessions without consent. The detection rule identifies suspicious modifications to RDP Shadow registry settings and the execution of specific processes linked to shadowing, signaling potential misuse. + +### Possible investigation steps + +- Review the registry event details to confirm if there was a modification to the RDP Shadow registry path, specifically checking for changes in "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow". +- Investigate the process events to identify if "RdpSaUacHelper.exe" or "RdpSaProxy.exe" were started by "svchost.exe", which could indicate unauthorized shadowing activity. +- Check for any instances of "mstsc.exe" being executed with the "/shadow:*" argument, as this could signify an attempt to shadow an RDP session. +- Correlate the identified processes and registry changes with user activity logs to determine if the actions were authorized or expected as part of legitimate administrative tasks. +- Analyze network logs for any unusual remote connections or lateral movement patterns that coincide with the timing of the detected shadowing activity. +- Consult endpoint security solutions like Microsoft Defender for Endpoint or SentinelOne for additional context or alerts related to the same host or user account involved in the shadowing activity. + +### False positive analysis + +- Legitimate administrative activities may trigger alerts when IT staff use RDP Shadowing for support. To manage this, create exceptions for known IT administrator accounts or specific IP addresses. +- Scheduled maintenance or automated scripts that modify RDP Shadow registry settings can be mistaken for malicious activity. Identify and exclude these processes or scripts from the detection rule. +- Security software or monitoring tools that interact with RDP sessions might mimic shadowing behavior. Verify these tools and whitelist their processes to prevent false alerts. +- Training sessions or remote support tools that use RDP Shadowing features can generate alerts. Document and exclude these activities by identifying their unique process names or arguments. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified in the alert, such as RdpSaUacHelper.exe, RdpSaProxy.exe, or mstsc.exe with shadowing arguments, to stop potential session hijacking. +- Revert any unauthorized changes to the RDP Shadow registry settings to their default or secure state to prevent further exploitation. +- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized changes have been made, and reset passwords for any compromised accounts. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future. +- Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems.""" references = [ "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/", @@ -67,40 +99,6 @@ any where host.os.type == "windows" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Remote Desktop Shadowing Activity - -Remote Desktop Shadowing allows administrators to view or control active RDP sessions, aiding in support and troubleshooting. However, adversaries can exploit this feature to monitor or hijack user sessions without consent. The detection rule identifies suspicious modifications to RDP Shadow registry settings and the execution of specific processes linked to shadowing, signaling potential misuse. - -### Possible investigation steps - -- Review the registry event details to confirm if there was a modification to the RDP Shadow registry path, specifically checking for changes in "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow". -- Investigate the process events to identify if "RdpSaUacHelper.exe" or "RdpSaProxy.exe" were started by "svchost.exe", which could indicate unauthorized shadowing activity. -- Check for any instances of "mstsc.exe" being executed with the "/shadow:*" argument, as this could signify an attempt to shadow an RDP session. -- Correlate the identified processes and registry changes with user activity logs to determine if the actions were authorized or expected as part of legitimate administrative tasks. -- Analyze network logs for any unusual remote connections or lateral movement patterns that coincide with the timing of the detected shadowing activity. -- Consult endpoint security solutions like Microsoft Defender for Endpoint or SentinelOne for additional context or alerts related to the same host or user account involved in the shadowing activity. - -### False positive analysis - -- Legitimate administrative activities may trigger alerts when IT staff use RDP Shadowing for support. To manage this, create exceptions for known IT administrator accounts or specific IP addresses. -- Scheduled maintenance or automated scripts that modify RDP Shadow registry settings can be mistaken for malicious activity. Identify and exclude these processes or scripts from the detection rule. -- Security software or monitoring tools that interact with RDP sessions might mimic shadowing behavior. Verify these tools and whitelist their processes to prevent false alerts. -- Training sessions or remote support tools that use RDP Shadowing features can generate alerts. Document and exclude these activities by identifying their unique process names or arguments. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious processes identified in the alert, such as RdpSaUacHelper.exe, RdpSaProxy.exe, or mstsc.exe with shadowing arguments, to stop potential session hijacking. -- Revert any unauthorized changes to the RDP Shadow registry settings to their default or secure state to prevent further exploitation. -- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized changes have been made, and reset passwords for any compromised accounts. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future. -- Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index fefd0ad1ad7..a6329dc5a9d 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,33 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" -references = [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", - "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", -] -risk_score = 73 -rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +60,33 @@ The TSClient mountpoint is a feature of the Remote Desktop Protocol (RDP) that a - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for similar threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts.""" +references = [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] +risk_score = 73 +rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 5997eaad182..441b22f62de 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,27 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" -risk_score = 47 -rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan=30s - [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and - destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] - [process where host.os.type == "windows" and - event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +61,27 @@ Windows Remote Management (WinRM) is a protocol that allows for remote managemen - Restore the affected system from a known good backup if any malicious activity or unauthorized changes are confirmed. - Implement network segmentation to limit the ability of threats to move laterally across the network, focusing on restricting access to critical systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan=30s + [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and + destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 0e3e20a9ebc..d51c79933c2 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,49 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "WMI Incoming Lateral Movement" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating WMI Incoming Lateral Movement + +Windows Management Instrumentation (WMI) is a core Windows feature enabling remote management and data collection. Adversaries exploit WMI for lateral movement by executing processes on remote hosts, often bypassing traditional security measures. The detection rule identifies suspicious WMI activity by monitoring specific network connections and process executions, filtering out common false positives to highlight potential threats. + +### Possible investigation steps + +- Review the source IP address of the incoming RPC connection to determine if it is from a known or trusted network segment, excluding localhost addresses like 127.0.0.1 and ::1. +- Check the process name and parent process name, specifically looking for svchost.exe and WmiPrvSE.exe, to confirm the execution context and identify any unusual parent-child process relationships. +- Investigate the user ID associated with the process execution to ensure it is not a system account (S-1-5-18, S-1-5-19, S-1-5-20) and assess if the user has legitimate reasons for remote WMI activity. +- Examine the process executable path to verify it is not one of the excluded common false positives, such as those related to HPWBEM, SCCM, or other specified system utilities. +- Analyze the network connection details, including source and destination ports, to identify any patterns or anomalies that could indicate malicious lateral movement. +- Correlate the alert with other security events or logs from the same host or network segment to gather additional context and identify potential patterns of compromise. + +### False positive analysis + +- Administrative use of WMI for remote management can trigger alerts. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. +- Security tools like Nessus and SCCM may cause false positives. Exclude processes associated with these tools by adding their executables to the exception list. +- System processes running with high integrity levels might be flagged. Exclude processes with integrity levels marked as "System" to reduce noise. +- Specific executables such as msiexec.exe and appcmd.exe with certain arguments can be safely excluded if they are part of routine administrative tasks. +- Regularly review and update the exception list to ensure it aligns with current network management practices and tools. + +### Response and remediation + +- Isolate the affected host immediately from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. +- Terminate any suspicious processes identified as being executed via WMI on the affected host. Use task management tools or scripts to stop these processes. +- Conduct a thorough review of the affected host's WMI logs and process execution history to identify any unauthorized changes or additional malicious activity. +- Reset credentials for any accounts that were used in the suspicious WMI activity, especially if they have administrative privileges, to prevent further unauthorized access. +- Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current. +- Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns. +- If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action.""" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" @@ -57,41 +94,6 @@ sequence by host.id with maxspan = 2s not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall") ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating WMI Incoming Lateral Movement - -Windows Management Instrumentation (WMI) is a core Windows feature enabling remote management and data collection. Adversaries exploit WMI for lateral movement by executing processes on remote hosts, often bypassing traditional security measures. The detection rule identifies suspicious WMI activity by monitoring specific network connections and process executions, filtering out common false positives to highlight potential threats. - -### Possible investigation steps - -- Review the source IP address of the incoming RPC connection to determine if it is from a known or trusted network segment, excluding localhost addresses like 127.0.0.1 and ::1. -- Check the process name and parent process name, specifically looking for svchost.exe and WmiPrvSE.exe, to confirm the execution context and identify any unusual parent-child process relationships. -- Investigate the user ID associated with the process execution to ensure it is not a system account (S-1-5-18, S-1-5-19, S-1-5-20) and assess if the user has legitimate reasons for remote WMI activity. -- Examine the process executable path to verify it is not one of the excluded common false positives, such as those related to HPWBEM, SCCM, or other specified system utilities. -- Analyze the network connection details, including source and destination ports, to identify any patterns or anomalies that could indicate malicious lateral movement. -- Correlate the alert with other security events or logs from the same host or network segment to gather additional context and identify potential patterns of compromise. - -### False positive analysis - -- Administrative use of WMI for remote management can trigger alerts. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. -- Security tools like Nessus and SCCM may cause false positives. Exclude processes associated with these tools by adding their executables to the exception list. -- System processes running with high integrity levels might be flagged. Exclude processes with integrity levels marked as "System" to reduce noise. -- Specific executables such as msiexec.exe and appcmd.exe with certain arguments can be safely excluded if they are part of routine administrative tasks. -- Regularly review and update the exception list to ensure it aligns with current network management practices and tools. - -### Response and remediation - -- Isolate the affected host immediately from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. -- Terminate any suspicious processes identified as being executed via WMI on the affected host. Use task management tools or scripts to stop these processes. -- Conduct a thorough review of the affected host's WMI logs and process execution history to identify any unauthorized changes or additional malicious activity. -- Reset credentials for any accounts that were used in the suspicious WMI activity, especially if they have administrative privileges, to prevent further unauthorized access. -- Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current. -- Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns. -- If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 3489b44f56e..3352383ebb2 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,37 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" -risk_score = 47 -rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ((process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and - not process.parent.name : "net.exe")) and - process.args : "use" and - /* including hidden and webdav based online shares such as onedrive */ - process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and - /* excluding shares deletion operation */ - not process.args : "/d*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +59,37 @@ WebDav and hidden remote shares facilitate file sharing and collaboration across - Implement network segmentation to limit access to critical systems and sensitive data, reducing the risk of lateral movement. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Enhance monitoring and alerting for similar activities by ensuring that all relevant security tools are configured to detect and alert on suspicious use of net.exe and net1.exe.""" +risk_score = 47 +rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ((process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + process.args : "use" and + /* including hidden and webdav based online shares such as onedrive */ + process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and + /* excluding shares deletion operation */ + not process.args : "/d*" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 86d159976c9..f6227044ca7 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,31 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" -references = [ - "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1", -] -risk_score = 47 -rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan = 30s - [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and - network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] - [process where host.os.type == "windows" and - event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +61,31 @@ PowerShell Remoting enables administrators to execute commands on remote Windows - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited. - Enhance monitoring on the network for unusual activity on ports 5985 and 5986 to detect any future attempts at unauthorized PowerShell Remoting. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +references = [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1", +] +risk_score = 47 +rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan = 30s + [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and + network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index be8f3779dbc..d0b2102f5d4 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies registry write modifications to enable Remote Desktop Protocol (RDP) adversary lateral movement preparation. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "RDP Enabled via Registry" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 086946e9a66..be836c4665e 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,32 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" -references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] -risk_score = 47 -rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("cmd.exe", "powershell.exe", "xcopy.exe", "pwsh.exe", "powershell_ise.exe") and - process.command_line : "*\\\\*\\*$*" and process.command_line : ("*copy*", "*move*", "* cp *", "* mv *") -''' note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +60,32 @@ In Windows environments, hidden network shares are often used for legitimate adm - Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access. - Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] +risk_score = 47 +rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : ("cmd.exe", "powershell.exe", "xcopy.exe", "pwsh.exe", "powershell_ise.exe") and + process.command_line : "*\\\\*\\*$*" and process.command_line : ("*copy*", "*move*", "* cp *", "* mv *") +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index b06572fd20b..5d8410e1295 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote Windows Service Installed" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Remote Windows Service Installed + +Windows services are crucial for running background processes. Adversaries exploit this by installing services remotely to maintain persistence or move laterally within a network. The detection rule identifies suspicious service installations following a network logon, excluding known legitimate services, to flag potential unauthorized activities. This helps in identifying and mitigating threats early. + +### Possible investigation steps + +- Review the source IP address from the authentication event to determine if it is from a known or trusted network segment. Investigate any unfamiliar or suspicious IP addresses. +- Check the winlog.logon.id to correlate the logon session with the service installation event, ensuring they are part of the same session. +- Investigate the user account associated with the logon session to determine if the activity aligns with their typical behavior or role within the organization. +- Examine the service file path from the service-installed event to identify if it is a known or legitimate application. Pay special attention to any paths not excluded in the query. +- Look into the history of the computer where the service was installed (winlog.computer_name) for any previous suspicious activities or alerts. +- Assess the timing and frequency of similar events to determine if this is an isolated incident or part of a broader pattern of suspicious behavior. + +### False positive analysis + +- Administrative activities can trigger false positives when administrators frequently install or update services remotely. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. +- Legitimate software installations or updates may appear as suspicious service installations. Maintain an updated list of authorized software paths and exclude these from the detection rule. +- Automated deployment tools like PDQ Deploy or Veeam Backup can cause false positives. Identify and exclude the service paths associated with these tools to reduce noise. +- Scheduled tasks that install or update services as part of routine maintenance can be mistaken for threats. Document and exclude these tasks from the rule to prevent unnecessary alerts. +- Internal security tools that perform regular checks or updates may also trigger alerts. Ensure these tools are recognized and their service paths are excluded from the detection criteria. + +### Response and remediation + +- Isolate the affected system from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. +- Terminate any unauthorized services identified by the alert to stop any malicious processes from running. Use task management tools or command-line utilities to stop and disable these services. +- Conduct a thorough review of recent logon events and service installations on the affected system to identify any additional unauthorized activities or compromised accounts. +- Change passwords for any accounts that were used in the unauthorized service installation, especially if they have administrative privileges, to prevent further unauthorized access. +- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected that cannot be easily remediated. +- Implement network monitoring and alerting for similar suspicious activities, such as unexpected service installations or network logons, to enhance detection and response capabilities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised.""" risk_score = 47 rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1" severity = "medium" @@ -64,41 +97,6 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe", "?:\\Windows\\System32\\taskhostex.exe")] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Remote Windows Service Installed - -Windows services are crucial for running background processes. Adversaries exploit this by installing services remotely to maintain persistence or move laterally within a network. The detection rule identifies suspicious service installations following a network logon, excluding known legitimate services, to flag potential unauthorized activities. This helps in identifying and mitigating threats early. - -### Possible investigation steps - -- Review the source IP address from the authentication event to determine if it is from a known or trusted network segment. Investigate any unfamiliar or suspicious IP addresses. -- Check the winlog.logon.id to correlate the logon session with the service installation event, ensuring they are part of the same session. -- Investigate the user account associated with the logon session to determine if the activity aligns with their typical behavior or role within the organization. -- Examine the service file path from the service-installed event to identify if it is a known or legitimate application. Pay special attention to any paths not excluded in the query. -- Look into the history of the computer where the service was installed (winlog.computer_name) for any previous suspicious activities or alerts. -- Assess the timing and frequency of similar events to determine if this is an isolated incident or part of a broader pattern of suspicious behavior. - -### False positive analysis - -- Administrative activities can trigger false positives when administrators frequently install or update services remotely. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. -- Legitimate software installations or updates may appear as suspicious service installations. Maintain an updated list of authorized software paths and exclude these from the detection rule. -- Automated deployment tools like PDQ Deploy or Veeam Backup can cause false positives. Identify and exclude the service paths associated with these tools to reduce noise. -- Scheduled tasks that install or update services as part of routine maintenance can be mistaken for threats. Document and exclude these tasks from the rule to prevent unnecessary alerts. -- Internal security tools that perform regular checks or updates may also trigger alerts. Ensure these tools are recognized and their service paths are excluded from the detection criteria. - -### Response and remediation - -- Isolate the affected system from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. -- Terminate any unauthorized services identified by the alert to stop any malicious processes from running. Use task management tools or command-line utilities to stop and disable these services. -- Conduct a thorough review of recent logon events and service installations on the affected system to identify any additional unauthorized activities or compromised accounts. -- Change passwords for any accounts that were used in the unauthorized service installation, especially if they have administrative privileges, to prevent further unauthorized access. -- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected that cannot be easily remediated. -- Implement network monitoring and alerting for similar suspicious activities, such as unexpected service installations or network logons, to enhance detection and response capabilities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index bd46ed742ba..6409bf739d8 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index cc727f02af3..1370fa1ac34 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 962d7dc4f30..857d749b7b4 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 49b26a6d28e..d9b248b5808 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious RDP ActiveX Client Loaded + +The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desktop connections, enabling users to access and control other systems. Adversaries may exploit this by loading the DLL in unauthorized contexts to move laterally within a network. The detection rule identifies unusual loading of mstscax.dll outside typical system paths, flagging potential misuse indicative of lateral movement attempts. + +### Possible investigation steps + +- Review the process executable path to determine if mstscax.dll was loaded from an unusual or unauthorized location, as specified in the query. +- Check the associated process and user context to identify who initiated the process and whether it aligns with expected behavior or known user activity. +- Investigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts. +- Examine recent login events and RDP session logs for the involved user account to detect any unauthorized access or anomalies. +- Correlate the alert with other security events or logs to identify potential patterns or related suspicious activities within the network. + +### False positive analysis + +- Legitimate administrative tools or scripts that load mstscax.dll from non-standard paths may trigger false positives. To mitigate this, identify and document these tools, then add their paths to the exclusion list in the detection rule. +- Software updates or installations that temporarily load mstscax.dll from unusual locations can cause false alerts. Monitor and log these activities, and consider excluding these paths if they are consistently flagged during known update periods. +- Virtualization software or sandbox environments that use mstscax.dll for legitimate purposes might be flagged. Verify the use of such software and exclude their executable paths from the rule to prevent unnecessary alerts. +- Custom user scripts or automation tasks that involve remote desktop functionalities may load mstscax.dll in unexpected ways. Review these scripts and, if deemed safe, add their execution paths to the exclusion list to reduce noise. +- Network drive mappings or shared folders that involve remote desktop components could lead to false positives. Ensure these are part of regular operations and exclude their paths if they are frequently flagged without malicious intent. + +### Response and remediation + +- Isolate the affected system from the network immediately to prevent further lateral movement by the adversary. +- Terminate any suspicious processes associated with the unauthorized loading of mstscax.dll to halt potential malicious activities. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. +- Review and analyze the system and network logs to identify any other systems that may have been accessed or compromised by the adversary. +- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. +- Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected.""" references = [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", @@ -69,40 +101,6 @@ any where host.os.type == "windows" and "?:\\Windows\\System32\\hvsirdpclient.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious RDP ActiveX Client Loaded - -The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desktop connections, enabling users to access and control other systems. Adversaries may exploit this by loading the DLL in unauthorized contexts to move laterally within a network. The detection rule identifies unusual loading of mstscax.dll outside typical system paths, flagging potential misuse indicative of lateral movement attempts. - -### Possible investigation steps - -- Review the process executable path to determine if mstscax.dll was loaded from an unusual or unauthorized location, as specified in the query. -- Check the associated process and user context to identify who initiated the process and whether it aligns with expected behavior or known user activity. -- Investigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts. -- Examine recent login events and RDP session logs for the involved user account to detect any unauthorized access or anomalies. -- Correlate the alert with other security events or logs to identify potential patterns or related suspicious activities within the network. - -### False positive analysis - -- Legitimate administrative tools or scripts that load mstscax.dll from non-standard paths may trigger false positives. To mitigate this, identify and document these tools, then add their paths to the exclusion list in the detection rule. -- Software updates or installations that temporarily load mstscax.dll from unusual locations can cause false alerts. Monitor and log these activities, and consider excluding these paths if they are consistently flagged during known update periods. -- Virtualization software or sandbox environments that use mstscax.dll for legitimate purposes might be flagged. Verify the use of such software and exclude their executable paths from the rule to prevent unnecessary alerts. -- Custom user scripts or automation tasks that involve remote desktop functionalities may load mstscax.dll in unexpected ways. Review these scripts and, if deemed safe, add their execution paths to the exclusion list to reduce noise. -- Network drive mappings or shared folders that involve remote desktop components could lead to false positives. Ensure these are part of regular operations and exclude their paths if they are frequently flagged without malicious intent. - -### Response and remediation - -- Isolate the affected system from the network immediately to prevent further lateral movement by the adversary. -- Terminate any suspicious processes associated with the unauthorized loading of mstscax.dll to halt potential malicious activities. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. -- Review and analyze the system and network logs to identify any other systems that may have been accessed or compromised by the adversary. -- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. -- Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 805ca9ee914..a85445567be 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 6518800cbef..d6fab3b872c 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 51f0b83aabc..a74ff41d148 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,41 +11,17 @@ Identifies suspicious file creations in the startup folder of a remote system. A laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Lateral Movement via Startup Folder" -references = [ - "https://www.mdsec.co.uk/2017/06/rdpinception/", - "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", -] -risk_score = 73 -rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type in ("creation", "change") and - - /* via RDP TSClient mounted share or SMB */ - (process.name : "mstsc.exe" or process.pid == 4) and - - file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", - "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +56,37 @@ The Windows Startup folder is a mechanism that allows programs to run automatica - Review and reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP and SMB activities, focusing on unusual file creation events in Startup folders, to improve detection of similar threats in the future.""" +references = [ + "https://www.mdsec.co.uk/2017/06/rdpinception/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] +risk_score = 73 +rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type in ("creation", "change") and + + /* via RDP TSClient mounted share or SMB */ + (process.name : "mstsc.exe" or process.pid == 4) and + + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 0b3bbc35872..22ecd3dc5c9 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2024/07/19" -integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,35 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential WSUS Abuse for Lateral Movement" -references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"] -risk_score = 47 -rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and -process.executable : ( - "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*", - "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*" -) and -(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c") -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +59,35 @@ Windows Server Update Services (WSUS) is a system that manages updates for Micro - Reset credentials for any accounts that may have been compromised or used in the lateral movement attempt, especially those with administrative privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and logging for WSUS activities and PsExec executions to detect and respond to similar threats more effectively in the future.""" +references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"] +risk_score = 47 +rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and +process.executable : ( + "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*", + "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*" +) and +(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c") +''' [[rule.threat]] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index dd5de2c0541..d7302c194b6 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,29 +18,6 @@ index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "AdminSDHolder Backdoor" -references = [ - "https://adsecurity.org/?p=1906", - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder", -] -risk_score = 73 -rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +53,29 @@ The AdminSDHolder object in Active Directory is crucial for maintaining consiste - Implement additional monitoring on the AdminSDHolder object and other critical Active Directory objects to detect any future unauthorized modifications promptly. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach, including identifying any other compromised systems or accounts. - Review and update access control policies and security configurations to prevent similar attacks, ensuring that only authorized personnel have the ability to modify critical Active Directory objects.""" +references = [ + "https://adsecurity.org/?p=1906", + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder", +] +risk_score = 73 +rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* +''' [[rule.threat]] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 9861af7bf42..119541284dd 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -36,7 +34,14 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" @@ -101,7 +106,18 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", +] timestamp_override = "event.ingested" type = "eql" @@ -115,6 +131,11 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -124,11 +145,6 @@ id = "T1574.010" name = "Services File Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/010/" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index caae92210c6..67b2e180485 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,42 +11,17 @@ Identifies the installation of custom Application Compatibility Shim databases. abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Installation of Custom Shim Databases" -risk_score = 47 -rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", - "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" - ) and - not process.executable : - ("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe", - "?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe", - "?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe", - "?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe", - "?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +57,38 @@ Application Compatibility Shim databases are used in Windows to ensure older app - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specified registry paths and associated processes to detect and respond to similar threats in the future.""" +risk_score = 47 +rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" + ) and + not process.executable : + ("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe", + "?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe", + "?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe", + "?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 6a6a98051b5..aedea1b2984 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,33 +11,17 @@ Detects attempts to maintain persistence by creating registry keys using AppCert process using the common API functions to create processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" -risk_score = 47 -rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,6 +57,41 @@ AppCert DLLs are dynamic link libraries that can be configured to load with ever - Review and restore any system files or configurations that may have been altered by the malicious DLLs to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specific registry paths and related process creation activities to detect any future unauthorized changes promptly.""" +risk_score = 47 +rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" + ) +''' [[rule.threat]] @@ -94,7 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1546/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b0ae3c89326..40d0f07407f 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,16 +2,14 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] label = "Osquery - Retrieve AppInit Registry Value" query = """ -SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' or -r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name == +SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' +or r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name == 'AppInit_DLLs' """ @@ -50,7 +48,14 @@ Attackers who add those DLLs to the registry locations can execute code with ele injection, and provide a solid and constant persistence on the machine. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppInit DLL" @@ -110,7 +115,19 @@ This rule identifies modifications on the AppInit registry keys. risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -154,9 +171,6 @@ reference = "https://attack.mitre.org/techniques/T1546/010/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -164,6 +178,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index b4876433481..6a2a027a9d7 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,11 +17,45 @@ index = [ "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*", "winlogbeat-*", - "endgame-*" + "endgame-*", ] language = "eql" license = "Elastic License v2" name = "Browser Extension Install" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Browser Extension Install +Browser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments. + +### Possible investigation steps + +- Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations. +- Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious. +- Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised. +- Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension. +- Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions. +- If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension. + +### False positive analysis + +- Language pack installations for Firefox can trigger false positives. Exclude files named "langpack-*@firefox.mozilla.org.xpi" from detection to prevent unnecessary alerts. +- Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named "*@dictionaries.addons.mozilla.org.xpi" to reduce false positives. +- Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring. +- User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like "firefox.exe" when associated with legitimate extension paths. +- Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes. +- Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert. +- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension. +- Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.""" risk_score = 21 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379" severity = "low" @@ -62,40 +94,6 @@ file where host.os.type == "windows" and event.type : "creation" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Browser Extension Install -Browser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments. - -### Possible investigation steps - -- Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations. -- Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious. -- Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised. -- Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension. -- Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions. -- If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension. - -### False positive analysis - -- Language pack installations for Firefox can trigger false positives. Exclude files named "langpack-*@firefox.mozilla.org.xpi" from detection to prevent unnecessary alerts. -- Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named "*@dictionaries.addons.mozilla.org.xpi" to reduce false positives. -- Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring. -- User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like "firefox.exe" when associated with legitimate extension paths. -- Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes. -- Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert. -- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension. -- Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.""" [[rule.threat]] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index e5bbdceaf82..b3b801c29b2 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 71504064689..37d50c2751a 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,14 @@ sometimes done by attackers to increase access to a system and avoid appearing i the net users command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Creation of a Hidden Local User Account" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 94f25c785e8..915e9d78036 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,51 @@ The Debugger and SilentProcessExit registry keys can allow an adversary to inter different process to be executed. This functionality can be abused by an adversary to establish persistence. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Image File Execution Options Injection" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Image File Execution Options Injection + +Image File Execution Options (IFEO) is a Windows feature allowing developers to debug applications by specifying an alternative executable to run. Adversaries exploit this by setting a debugger to execute malicious code instead, achieving persistence or evasion. The detection rule identifies changes to specific registry keys associated with IFEO, flagging potential misuse by monitoring for unexpected executables being set as debuggers. + +### Possible investigation steps + +- Review the registry path and value that triggered the alert to identify the specific executable or process being targeted for debugging or monitoring. +- Check the registry.data.strings field to determine the unexpected executable set as a debugger or monitor process, and assess its legitimacy. +- Investigate the origin and purpose of the executable found in the registry.data.strings by checking its file properties, digital signature, and any associated metadata. +- Correlate the alert with recent system or user activity to identify any suspicious behavior or changes that coincide with the registry modification. +- Examine the system for additional indicators of compromise, such as unusual network connections, file modifications, or other registry changes, to assess the scope of potential malicious activity. +- Consult threat intelligence sources to determine if the identified executable or behavior is associated with known malware or threat actors. + +### False positive analysis + +- ThinKiosk and PSAppDeployToolkit are known to trigger false positives due to their legitimate use of the Debugger registry key. Users can mitigate this by adding exceptions for these applications in the detection rule. +- Regularly review and update the list of exceptions to include any new legitimate applications that may use the Debugger or MonitorProcess registry keys for valid purposes. +- Monitor the environment for any new software installations or updates that might interact with the IFEO registry keys and adjust the rule exceptions accordingly to prevent unnecessary alerts. +- Collaborate with IT and security teams to identify any internal tools or scripts that might be using these registry keys for legitimate reasons and ensure they are accounted for in the rule exceptions. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious processes identified as being executed through the IFEO mechanism to halt any ongoing malicious activity. +- Revert any unauthorized changes to the registry keys associated with Image File Execution Options and SilentProcessExit to their default or intended state. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. +- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.""" references = [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", ] @@ -59,40 +98,6 @@ registry where host.os.type == "windows" and event.type == "change" and /* add FPs here */ not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Image File Execution Options Injection - -Image File Execution Options (IFEO) is a Windows feature allowing developers to debug applications by specifying an alternative executable to run. Adversaries exploit this by setting a debugger to execute malicious code instead, achieving persistence or evasion. The detection rule identifies changes to specific registry keys associated with IFEO, flagging potential misuse by monitoring for unexpected executables being set as debuggers. - -### Possible investigation steps - -- Review the registry path and value that triggered the alert to identify the specific executable or process being targeted for debugging or monitoring. -- Check the registry.data.strings field to determine the unexpected executable set as a debugger or monitor process, and assess its legitimacy. -- Investigate the origin and purpose of the executable found in the registry.data.strings by checking its file properties, digital signature, and any associated metadata. -- Correlate the alert with recent system or user activity to identify any suspicious behavior or changes that coincide with the registry modification. -- Examine the system for additional indicators of compromise, such as unusual network connections, file modifications, or other registry changes, to assess the scope of potential malicious activity. -- Consult threat intelligence sources to determine if the identified executable or behavior is associated with known malware or threat actors. - -### False positive analysis - -- ThinKiosk and PSAppDeployToolkit are known to trigger false positives due to their legitimate use of the Debugger registry key. Users can mitigate this by adding exceptions for these applications in the detection rule. -- Regularly review and update the list of exceptions to include any new legitimate applications that may use the Debugger or MonitorProcess registry keys for valid purposes. -- Monitor the environment for any new software installations or updates that might interact with the IFEO registry keys and adjust the rule exceptions accordingly to prevent unnecessary alerts. -- Collaborate with IT and security teams to identify any internal tools or scripts that might be using these registry keys for legitimate reasons and ensure they are accounted for in the rule exceptions. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious processes identified as being executed through the IFEO mechanism to halt any ongoing malicious activity. -- Revert any unauthorized changes to the registry keys associated with Image File Execution Options and SilentProcessExit to their default or intended state. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. -- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 56a73df3705..2ee3ecadfae 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies suspicious startup shell folder modifications to change the default S detections monitoring file creation in the Windows Startup folder. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Startup Shell Folder Modification" diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index af54846d070..2898f609ef9 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,45 +2,21 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting -vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account. +vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain +account. """ from = "now-9m" index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Active Directory Group Modification by SYSTEM" -risk_score = 47 -rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where winlog.api == "wineventlog" and event.code == "4728" and -winlog.event_data.SubjectUserSid : "S-1-5-18" and - -/* DOMAIN_USERS and local groups */ -not group.id : "S-1-5-21-*-513" -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +52,29 @@ Active Directory (AD) is a critical component in Windows environments, managing - Apply security patches and updates to the domain controller to address any vulnerabilities that may have been exploited to gain SYSTEM privileges. - Monitor for any further suspicious activities or attempts to modify Active Directory groups, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach.""" +risk_score = 47 +rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where winlog.api == "wineventlog" and event.code == "4728" and +winlog.event_data.SubjectUserSid : "S-1-5-18" and + +/* DOMAIN_USERS and local groups */ +not group.id : "S-1-5-21-*-513" +''' [[rule.threat]] @@ -90,7 +89,6 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index d6ffe953c3e..e062106880e 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,34 +12,17 @@ task scheduling functionality to facilitate initial or recurring execution of ma """ false_positives = ["Legitimate scheduled jobs may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" -risk_score = 47 -rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and - not ( - ( - process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and - file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" - ) or - ( - process.executable : ( - "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe", - "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe" - ) and - file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job" - ) - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +57,41 @@ Scheduled jobs in Windows environments allow tasks to be automated by executing - Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. - Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule.""" +risk_score = 47 +rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and + not ( + ( + process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and + file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" + ) or + ( + process.executable : ( + "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe" + ) and + file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job" + ) + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index d8d21c6d8ab..e0bda7e66c5 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/04" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Local Scheduled Task Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Local Scheduled Task Creation + +Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence, lateral movement, or privilege escalation. They may use command-line tools like `schtasks.exe` to create tasks under non-system accounts. The detection rule identifies suspicious task creation by monitoring specific processes and command-line arguments, excluding those initiated by system-level users, to flag potential misuse. + +### Possible investigation steps + +- Review the process entity ID to identify the parent process that initiated the scheduled task creation. This can provide context on whether the task was created by a legitimate application or a potentially malicious one. +- Examine the command-line arguments used with schtasks.exe, specifically looking for unusual or suspicious parameters that might indicate malicious intent, such as unexpected task names or execution paths. +- Check the user account associated with the task creation to determine if it is a non-system account and assess whether this account should have the capability to create scheduled tasks. +- Investigate the integrity level of the process to confirm it is not running with elevated privileges, which could indicate an attempt to bypass security controls. +- Correlate the event with other recent activities on the host, such as file modifications or network connections, to identify any patterns or additional indicators of compromise. +- Review the code signature of the initiating process to determine if it is trusted or untrusted, which can help assess the legitimacy of the process creating the task. + +### False positive analysis + +- Scheduled tasks created by legitimate administrative tools or scripts may trigger false positives. Users should identify and whitelist these known benign processes to prevent unnecessary alerts. +- Routine maintenance tasks initiated by IT departments, such as software updates or system checks, can be mistaken for suspicious activity. Exclude these tasks by specifying their unique process names or command-line arguments. +- Tasks created by trusted third-party applications for legitimate purposes might be flagged. Review and exclude these applications by verifying their code signatures and adding them to an exception list. +- Automated tasks set up by non-system accounts for regular operations, like backups or monitoring, can be misinterpreted. Document these tasks and exclude them based on their specific parameters or user accounts involved. +- Consider excluding tasks with a consistent and verified schedule that aligns with organizational policies, as these are less likely to be malicious. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate any suspicious scheduled tasks identified by the alert using Task Scheduler or command-line tools like schtasks.exe to stop further execution. +- Review and remove any unauthorized scheduled tasks created by non-system accounts to eliminate persistence mechanisms. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious artifacts. +- Analyze the user account involved in the task creation for signs of compromise, and reset credentials if necessary to prevent further unauthorized access. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for scheduled task creation events to detect similar threats in the future, ensuring alerts are configured to notify the appropriate teams promptly.""" references = [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2", @@ -54,41 +87,6 @@ sequence with maxspan=1m not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") ] by process.parent.entity_id ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Local Scheduled Task Creation - -Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence, lateral movement, or privilege escalation. They may use command-line tools like `schtasks.exe` to create tasks under non-system accounts. The detection rule identifies suspicious task creation by monitoring specific processes and command-line arguments, excluding those initiated by system-level users, to flag potential misuse. - -### Possible investigation steps - -- Review the process entity ID to identify the parent process that initiated the scheduled task creation. This can provide context on whether the task was created by a legitimate application or a potentially malicious one. -- Examine the command-line arguments used with schtasks.exe, specifically looking for unusual or suspicious parameters that might indicate malicious intent, such as unexpected task names or execution paths. -- Check the user account associated with the task creation to determine if it is a non-system account and assess whether this account should have the capability to create scheduled tasks. -- Investigate the integrity level of the process to confirm it is not running with elevated privileges, which could indicate an attempt to bypass security controls. -- Correlate the event with other recent activities on the host, such as file modifications or network connections, to identify any patterns or additional indicators of compromise. -- Review the code signature of the initiating process to determine if it is trusted or untrusted, which can help assess the legitimacy of the process creating the task. - -### False positive analysis - -- Scheduled tasks created by legitimate administrative tools or scripts may trigger false positives. Users should identify and whitelist these known benign processes to prevent unnecessary alerts. -- Routine maintenance tasks initiated by IT departments, such as software updates or system checks, can be mistaken for suspicious activity. Exclude these tasks by specifying their unique process names or command-line arguments. -- Tasks created by trusted third-party applications for legitimate purposes might be flagged. Review and exclude these applications by verifying their code signatures and adding them to an exception list. -- Automated tasks set up by non-system accounts for regular operations, like backups or monitoring, can be misinterpreted. Document these tasks and exclude them based on their specific parameters or user accounts involved. -- Consider excluding tasks with a consistent and verified schedule that aligns with organizational policies, as these are less likely to be malicious. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. -- Terminate any suspicious scheduled tasks identified by the alert using Task Scheduler or command-line tools like schtasks.exe to stop further execution. -- Review and remove any unauthorized scheduled tasks created by non-system accounts to eliminate persistence mechanisms. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious artifacts. -- Analyze the user account involved in the task creation for signs of compromise, and reset credentials if necessary to prevent further unauthorized access. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for scheduled task creation events to detect similar threats in the future, ensuring alerts are configured to notify the appropriate teams promptly.""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index caa7c4dfb56..f8f93d54439 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index b85c801827d..9dcb2d15929 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,47 +2,23 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins." from = "now-9m" -index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Office AddIns" -references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"] -risk_score = 73 -rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.extension : ("wll","xll","ppa","ppam","xla","xlam") and - file.path : - ( - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +54,35 @@ Microsoft Office AddIns enhance productivity by allowing custom functionalities - Review and restore any altered system configurations or settings to their default state to ensure system integrity. - Monitor the affected system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further analysis and to determine if additional systems are affected.""" +references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"] +risk_score = 73 +rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : ("wll","xll","ppa","ppam","xla","xlam") and + file.path : + ( + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 5ce927e6f48..52490e8946b 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,45 +2,24 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template." false_positives = ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."] from = "now-9m" -index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Outlook VBA" -references = [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", -] -risk_score = 47 -rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +56,32 @@ Microsoft Outlook supports VBA scripting to automate tasks, which can be exploit - Conduct a full antivirus and antimalware scan on the affected endpoint using tools like Microsoft Defender for Endpoint to identify and remove any additional threats. - Review and update endpoint security policies to restrict unauthorized modifications to Outlook VBA files, leveraging application whitelisting or similar controls. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", +] +risk_score = 47 +rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" +''' [[rule.threat]] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index fb537f2b6fc..d7332d146f6 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "KRBTGT Delegation Backdoor" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating KRBTGT Delegation Backdoor + +In Active Directory, the KRBTGT account is crucial for Kerberos ticket granting. Adversaries may exploit this by altering the msDS-AllowedToDelegateTo attribute, enabling unauthorized ticket requests and persistent domain access. The detection rule identifies such modifications by monitoring specific event actions and codes, flagging high-risk changes to the KRBTGT delegation settings. + +### Possible investigation steps + +- Review the event logs for the specific event code 4738 to identify the user account that was modified and verify if the msDS-AllowedToDelegateTo attribute includes the KRBTGT service. +- Investigate the user account that performed the modification by checking their recent activities and login history to determine if the action was authorized or suspicious. +- Examine the timeline of the modification event to correlate it with any other unusual activities or alerts in the network around the same time. +- Check for any other modifications to sensitive attributes or accounts in Active Directory that might indicate a broader compromise. +- Assess the potential impact on the domain by evaluating the access level and permissions of the modified account and any associated systems or services. +- Consult with the IT security team to determine if there are any known maintenance activities or changes that could explain the modification, ensuring it was not a legitimate administrative action. + +### False positive analysis + +- Routine administrative tasks involving legitimate changes to the msDS-AllowedToDelegateTo attribute for service accounts may trigger alerts. Review the context of the change and verify with the IT team if it aligns with scheduled maintenance or updates. +- Automated scripts or tools used for Active Directory management might modify delegation settings as part of their operations. Identify these scripts and exclude their activity from triggering alerts by creating exceptions based on the script's signature or the account used. +- Changes made by trusted third-party applications that require delegation for functionality can be mistaken for malicious activity. Document these applications and adjust the detection rule to exclude their known and expected behavior. +- Regular audits or compliance checks that involve modifications to delegation settings should be accounted for. Coordinate with audit teams to schedule these activities and temporarily adjust monitoring rules to prevent false positives during these periods. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or ticket requests using the KRBTGT account. +- Revert any unauthorized changes to the msDS-AllowedToDelegateTo attribute for the KRBTGT account by restoring it to its previous state using a known good backup or manually resetting the attribute. +- Reset the KRBTGT account password twice to invalidate any existing Kerberos tickets that may have been issued using the compromised delegation settings. +- Conduct a thorough review of recent changes to user accounts and delegation settings in Active Directory to identify any other potential unauthorized modifications. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the compromise. +- Implement enhanced monitoring for changes to critical accounts and attributes in Active Directory, focusing on the KRBTGT account and similar high-value targets. +- Review and update access controls and delegation permissions to ensure that only authorized personnel have the ability to modify sensitive attributes like msDS-AllowedToDelegateTo.""" references = [ "https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md", @@ -56,40 +88,6 @@ type = "eql" query = ''' iam where event.code == "4738" and winlog.event_data.AllowedToDelegateTo : "*krbtgt*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating KRBTGT Delegation Backdoor - -In Active Directory, the KRBTGT account is crucial for Kerberos ticket granting. Adversaries may exploit this by altering the msDS-AllowedToDelegateTo attribute, enabling unauthorized ticket requests and persistent domain access. The detection rule identifies such modifications by monitoring specific event actions and codes, flagging high-risk changes to the KRBTGT delegation settings. - -### Possible investigation steps - -- Review the event logs for the specific event code 4738 to identify the user account that was modified and verify if the msDS-AllowedToDelegateTo attribute includes the KRBTGT service. -- Investigate the user account that performed the modification by checking their recent activities and login history to determine if the action was authorized or suspicious. -- Examine the timeline of the modification event to correlate it with any other unusual activities or alerts in the network around the same time. -- Check for any other modifications to sensitive attributes or accounts in Active Directory that might indicate a broader compromise. -- Assess the potential impact on the domain by evaluating the access level and permissions of the modified account and any associated systems or services. -- Consult with the IT security team to determine if there are any known maintenance activities or changes that could explain the modification, ensuring it was not a legitimate administrative action. - -### False positive analysis - -- Routine administrative tasks involving legitimate changes to the msDS-AllowedToDelegateTo attribute for service accounts may trigger alerts. Review the context of the change and verify with the IT team if it aligns with scheduled maintenance or updates. -- Automated scripts or tools used for Active Directory management might modify delegation settings as part of their operations. Identify these scripts and exclude their activity from triggering alerts by creating exceptions based on the script's signature or the account used. -- Changes made by trusted third-party applications that require delegation for functionality can be mistaken for malicious activity. Document these applications and adjust the detection rule to exclude their known and expected behavior. -- Regular audits or compliance checks that involve modifications to delegation settings should be accounted for. Coordinate with audit teams to schedule these activities and temporarily adjust monitoring rules to prevent false positives during these periods. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or ticket requests using the KRBTGT account. -- Revert any unauthorized changes to the msDS-AllowedToDelegateTo attribute for the KRBTGT account by restoring it to its previous state using a known good backup or manually resetting the attribute. -- Reset the KRBTGT account password twice to invalidate any existing Kerberos tickets that may have been issued using the compromised delegation settings. -- Conduct a thorough review of recent changes to user accounts and delegation settings in Active Directory to identify any other potential unauthorized modifications. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the compromise. -- Implement enhanced monitoring for changes to critical accounts and attributes in Active Directory, focusing on the KRBTGT account and similar high-value targets. -- Review and update access controls and delegation permissions to ensure that only authorized personnel have the ability to modify sensitive attributes like msDS-AllowedToDelegateTo.""" [[rule.threat]] diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index ac992d40a27..29f14f2b79d 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,35 +12,15 @@ specify a DLL which will be executed every time an MS Office application is star persistence on a compromised host. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "logs-m365_defender.event-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "logs-m365_defender.event-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Office Test Registry Persistence" -references = [ - "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", -] -risk_score = 21 -rule_id = "14dab405-5dd9-450c-8106-72951af2391f" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and - registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +55,31 @@ The Office Test Registry key in Windows environments allows specifying a DLL to - Review recent user activity and system logs to identify any unauthorized access or changes that may have led to the registry modification, and reset credentials if necessary. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry modifications across the network to detect and respond to future attempts promptly.""" +references = [ + "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", +] +risk_score = 21 +rule_id = "14dab405-5dd9-450c-8106-72951af2391f" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and + registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" +''' [[rule.threat]] diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 508ccf74a61..66781d5c4aa 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,36 +12,16 @@ functionality. Attackers may abuse this mechanism to execute malicious payloads which can be done by administrators or a scheduled task. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Netsh Helper DLL" -risk_score = 21 -rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\Software\\Microsoft\\netsh\\*", - "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*", - "MACHINE\\Software\\Microsoft\\netsh\\*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +55,32 @@ Netsh, a command-line utility in Windows, allows for network configuration and d - Review and restore any altered system configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs to detect similar threats in the future.""" +risk_score = 21 +rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\Software\\Microsoft\\netsh\\*", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*", + "MACHINE\\Software\\Microsoft\\netsh\\*" + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index d43d6d6685d..70d8729bfdc 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,35 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" -references = [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps", -] -risk_score = 47 -rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +61,35 @@ ActiveSync is a protocol enabling mobile devices to synchronize with Exchange ma - Notify the security team and relevant stakeholders about the incident for further investigation and potential escalation. - Implement additional monitoring on the affected account and similar accounts for any unusual activity or further attempts to add unauthorized devices. - Review and update the organization's security policies and procedures related to mobile device access and PowerShell usage to prevent recurrence.""" +references = [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps", +] +risk_score = 47 +rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" +''' [[rule.threat]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 429be36cbb6..a38642dfefd 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,14 @@ PowerShell starts to customize the user environment, which can be abused by atta PowerShell is common. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via PowerShell profile" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 6e23f13d359..8e79187f85e 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,13 @@ adversary can modify the way these programs are launched to get a command prompt system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Potential Modification of Accessibility Binaries" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index bdfb1d87180..477f8078256 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,9 +15,44 @@ index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Uncommon Registry Persistence Change" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Uncommon Registry Persistence Change + +Windows Registry is a critical system database storing configuration settings. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The detection rule identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts. It filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations. + +### Possible investigation steps + +- Review the specific registry path and value that triggered the alert to understand the context of the change and its potential impact on system behavior. +- Identify the process responsible for the registry modification by examining the process.name and process.executable fields, and determine if it is a known legitimate process or potentially malicious. +- Check the registry.data.strings field to see the new data or command being set in the registry key, and assess whether it aligns with known legitimate software or suspicious activity. +- Investigate the user account associated with the registry change by reviewing the HKEY_USERS path, if applicable, to determine if the change was made by an authorized user or an unexpected account. +- Correlate the alert with other recent events on the host, such as file modifications or network connections, to identify any additional indicators of compromise or related suspicious activity. +- Consult threat intelligence sources or databases to see if the registry path or process involved is associated with known malware or adversary techniques. + +### False positive analysis + +- Legitimate software installations or updates may modify registry keys for setup or configuration purposes. Users can create exceptions for known software paths like C:\\Program Files\\*.exe to reduce noise. +- System maintenance processes such as Windows Update might trigger changes in registry keys like SetupExecute. Exclude processes like TiWorker.exe and poqexec.exe when they match known update patterns. +- Administrative scripts or tools that automate system configurations can alter registry keys. Identify and exclude these scripts by their executable paths or process names to prevent false alerts. +- Security software, including antivirus or endpoint protection, may interact with registry keys for monitoring purposes. Exclude paths related to these tools, such as C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe, to avoid false positives. +- User-initiated changes through control panel settings or personalization options can affect registry keys like SCRNSAVE.EXE. Exclude common system paths like %windir%\\system32\\rundll32.exe user32.dll,LockWorkStation to minimize false detections. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malicious activity. +- Terminate any suspicious processes identified in the alert, particularly those not matching known legitimate executables or paths. +- Restore any altered registry keys to their original state using a known good backup or by manually resetting them to default values. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. +- Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases.""" references = [ -"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", -"https://github.com/rad9800/BootExecuteEDR" + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", + "https://github.com/rad9800/BootExecuteEDR", ] risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" @@ -116,41 +149,6 @@ registry where host.os.type == "windows" and event.type == "change" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Uncommon Registry Persistence Change - -Windows Registry is a critical system database storing configuration settings. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The detection rule identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts. It filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations. - -### Possible investigation steps - -- Review the specific registry path and value that triggered the alert to understand the context of the change and its potential impact on system behavior. -- Identify the process responsible for the registry modification by examining the process.name and process.executable fields, and determine if it is a known legitimate process or potentially malicious. -- Check the registry.data.strings field to see the new data or command being set in the registry key, and assess whether it aligns with known legitimate software or suspicious activity. -- Investigate the user account associated with the registry change by reviewing the HKEY_USERS path, if applicable, to determine if the change was made by an authorized user or an unexpected account. -- Correlate the alert with other recent events on the host, such as file modifications or network connections, to identify any additional indicators of compromise or related suspicious activity. -- Consult threat intelligence sources or databases to see if the registry path or process involved is associated with known malware or adversary techniques. - -### False positive analysis - -- Legitimate software installations or updates may modify registry keys for setup or configuration purposes. Users can create exceptions for known software paths like C:\\Program Files\\*.exe to reduce noise. -- System maintenance processes such as Windows Update might trigger changes in registry keys like SetupExecute. Exclude processes like TiWorker.exe and poqexec.exe when they match known update patterns. -- Administrative scripts or tools that automate system configurations can alter registry keys. Identify and exclude these scripts by their executable paths or process names to prevent false alerts. -- Security software, including antivirus or endpoint protection, may interact with registry keys for monitoring purposes. Exclude paths related to these tools, such as C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe, to avoid false positives. -- User-initiated changes through control panel settings or personalization options can affect registry keys like SCRNSAVE.EXE. Exclude common system paths like %windir%\\system32\\rundll32.exe user32.dll,LockWorkStation to minimize false detections. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malicious activity. -- Terminate any suspicious processes identified in the alert, particularly those not matching known legitimate executables or paths. -- Restore any altered registry keys to their original state using a known good backup or by manually resetting them to default values. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. -- Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases.""" [[rule.threat]] diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index a60cd2a8ea8..e3968f798cb 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 9c3d573ec62..5152e42debf 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,41 +15,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Execution of Persistent Suspicious Program" -risk_score = 47 -rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ -sequence by host.id, user.name with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"] - [process where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe"] - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "explorer.exe" and - /* add suspicious programs here */ - process.pe.original_file_name in ("cscript.exe", - "wscript.exe", - "PowerShell.EXE", - "MSHTA.EXE", - "RUNDLL32.EXE", - "REGSVR32.EXE", - "RegAsm.exe", - "MSBuild.exe", - "InstallUtil.exe") and - /* add potential suspicious paths here */ - process.args : ("C:\\Users\\*", "C:\\ProgramData\\*", "C:\\Windows\\Temp\\*", "C:\\Windows\\Tasks\\*", "C:\\PerfLogs\\*", "C:\\Intel\\*") - ] -''' note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +50,41 @@ Persistent programs, like scripts or rundll32, are often used by adversaries to - Review and restore any modified system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected host and similar systems to detect any recurrence or related suspicious activities.""" +risk_score = 47 +rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ +sequence by host.id, user.name with maxspan=1m + [process where host.os.type == "windows" and event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "explorer.exe" and + /* add suspicious programs here */ + process.pe.original_file_name in ("cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "RegAsm.exe", + "MSBuild.exe", + "InstallUtil.exe") and + /* add potential suspicious paths here */ + process.args : ("C:\\Users\\*", "C:\\ProgramData\\*", "C:\\Windows\\Temp\\*", "C:\\Windows\\Tasks\\*", "C:\\PerfLogs\\*", "C:\\Intel\\*") + ] +''' [[rule.threat]] diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index 8c9afca3854..fe8ba2e6a28 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "A scheduled task was created" -references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] -risk_score = 21 -rule_id = "92a6faf5-78ec-4e25-bea1-73bacc9b59d9" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.action == "scheduled-task-created" and - - /* excluding tasks created by the computer account */ - not user.name : "*$" and - - /* TaskContent is not parsed, exclude by full taskname noisy ones */ - not winlog.event_data.TaskName : ( - "\\CreateExplorerShellUnelevatedTask", - "\\Hewlett-Packard\\HPDeviceCheck", - "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker", - "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup", - "\\Hewlett-Packard\\HP Web Products Detection", - "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload", - "\\OneDrive Standalone Update Task-S-1-5-21*", - "\\OneDrive Standalone Update Task-S-1-12-1-*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +49,39 @@ Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Monitor the system and network for any signs of re-infection or further unauthorized scheduled task creation. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] +risk_score = 21 +rule_id = "92a6faf5-78ec-4e25-bea1-73bacc9b59d9" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.action == "scheduled-task-created" and + + /* excluding tasks created by the computer account */ + not user.name : "*$" and + + /* TaskContent is not parsed, exclude by full taskname noisy ones */ + not winlog.event_data.TaskName : ( + "\\CreateExplorerShellUnelevatedTask", + "\\Hewlett-Packard\\HPDeviceCheck", + "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker", + "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup", + "\\Hewlett-Packard\\HP Web Products Detection", + "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload", + "\\OneDrive Standalone Update Task-S-1-5-21*", + "\\OneDrive Standalone Update Task-S-1-12-1-*" + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index 5efd12e4881..e563b6a34a5 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,39 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "A scheduled task was updated" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating A scheduled task was updated + +Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this by modifying tasks to maintain persistence, often altering legitimate tasks to evade detection. The detection rule identifies suspicious updates by filtering out benign changes, such as those by system accounts or known safe tasks, focusing on anomalies that suggest malicious intent. + +### Possible investigation steps + +- Review the event logs to identify the specific scheduled task that was updated, focusing on the winlog.event_data.TaskName field to determine if it matches any known malicious patterns. +- Investigate the user account associated with the update by examining the user.name field to ensure it is not a compromised account or an unauthorized user. +- Check the winlog.event_data.SubjectUserSid field to verify if the update was made by a system account or a potentially malicious user, as system accounts like S-1-5-18, S-1-5-19, and S-1-5-20 are typically benign. +- Analyze the history of changes to the scheduled task to identify any unusual or unauthorized modifications that could indicate persistence mechanisms. +- Correlate the scheduled task update with other security events or alerts to determine if it is part of a broader attack pattern or campaign. + +### False positive analysis + +- Scheduled tasks updated by system accounts can be false positives. Exclude updates made by system accounts by filtering out user names ending with a dollar sign. +- Legitimate Microsoft tasks often update automatically. Exclude tasks with names containing "Microsoft" to reduce noise from these updates. +- Commonly updated tasks like User Feed Synchronization and OneDrive Reporting are typically benign. Exclude these specific task names to avoid unnecessary alerts. +- Tasks updated by well-known service SIDs such as S-1-5-18, S-1-5-19, and S-1-5-20 are generally safe. Exclude these SIDs to prevent false positives from routine system operations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Review the specific scheduled task that was updated to determine if it was altered by an unauthorized user or process. Revert any unauthorized changes to their original state. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced. +- Analyze the user account that made the changes to the scheduled task. If the account is compromised, reset the password and review recent activities for further signs of compromise. +- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized scheduled task updates or related suspicious activities. +- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. +- Review and update access controls and permissions related to scheduled tasks to ensure only authorized personnel can make changes, reducing the risk of future unauthorized modifications.""" references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] risk_score = 47 rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb" @@ -55,39 +86,6 @@ iam where event.action == "scheduled-task-updated" and "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating A scheduled task was updated - -Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this by modifying tasks to maintain persistence, often altering legitimate tasks to evade detection. The detection rule identifies suspicious updates by filtering out benign changes, such as those by system accounts or known safe tasks, focusing on anomalies that suggest malicious intent. - -### Possible investigation steps - -- Review the event logs to identify the specific scheduled task that was updated, focusing on the winlog.event_data.TaskName field to determine if it matches any known malicious patterns. -- Investigate the user account associated with the update by examining the user.name field to ensure it is not a compromised account or an unauthorized user. -- Check the winlog.event_data.SubjectUserSid field to verify if the update was made by a system account or a potentially malicious user, as system accounts like S-1-5-18, S-1-5-19, and S-1-5-20 are typically benign. -- Analyze the history of changes to the scheduled task to identify any unusual or unauthorized modifications that could indicate persistence mechanisms. -- Correlate the scheduled task update with other security events or alerts to determine if it is part of a broader attack pattern or campaign. - -### False positive analysis - -- Scheduled tasks updated by system accounts can be false positives. Exclude updates made by system accounts by filtering out user names ending with a dollar sign. -- Legitimate Microsoft tasks often update automatically. Exclude tasks with names containing "Microsoft" to reduce noise from these updates. -- Commonly updated tasks like User Feed Synchronization and OneDrive Reporting are typically benign. Exclude these specific task names to avoid unnecessary alerts. -- Tasks updated by well-known service SIDs such as S-1-5-18, S-1-5-19, and S-1-5-20 are generally safe. Exclude these SIDs to prevent false positives from routine system operations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Review the specific scheduled task that was updated to determine if it was altered by an unauthorized user or process. Revert any unauthorized changes to their original state. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced. -- Analyze the user account that made the changes to the scheduled task. If the account is compromised, reset the password and review recent activities for further signs of compromise. -- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized scheduled task updates or related suspicious activities. -- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. -- Review and update access controls and permissions related to scheduled tasks to ensure only authorized personnel can make changes, reducing the risk of future unauthorized modifications.""" [[rule.threat]] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index b250f6fd259..49f8e1171f3 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index dde825ba056..951e473b92b 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 45a0fd20e7b..6543ddd8535 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,52 @@ could be an indication of an adversary attempting to stealthily persist through modification of an existing service. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Persistence via Services Registry" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Persistence via Services Registry + +Windows services are crucial for running background processes. Adversaries may exploit this by directly altering service registry keys to maintain persistence, bypassing standard APIs. The detection rule identifies such anomalies by monitoring changes to specific registry paths and filtering out legitimate processes, thus highlighting potential unauthorized service modifications indicative of malicious activity. + +### Possible investigation steps + +- Review the specific registry paths and values that triggered the alert, focusing on "ServiceDLL" and "ImagePath" within the specified registry paths to identify any unauthorized or suspicious modifications. +- Examine the process responsible for the registry change, paying attention to the process name and executable path, to determine if it is a known legitimate process or potentially malicious. +- Cross-reference the process executable path against the list of known legitimate paths excluded in the query to ensure it is not a false positive. +- Investigate the historical behavior of the process and any associated files or network activity to identify patterns indicative of malicious intent or persistence mechanisms. +- Check for any recent changes or anomalies in the system's service configurations that could correlate with the registry modifications, indicating potential unauthorized service creation or alteration. +- Consult threat intelligence sources or databases to determine if the process or registry changes are associated with known malware or adversary techniques. + +### False positive analysis + +- Legitimate software installations or updates may modify service registry keys directly. Users can create exceptions for known software update processes by excluding their executables from the detection rule. +- System maintenance tools like Process Explorer may trigger false positives when they interact with service registry keys. Exclude these tools by adding their process names and paths to the exception list. +- Drivers installed by trusted hardware peripherals might alter service registry keys. Users should identify and exclude these driver paths if they are known to be safe and frequently updated. +- Custom enterprise applications that require direct registry modifications for service management can be excluded by specifying their executable paths in the rule exceptions. +- Regular system processes such as svchost.exe or services.exe are already excluded, but ensure any custom scripts or automation tools that mimic these processes are also accounted for in the exceptions. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert that are not part of legitimate applications or services. +- Restore the modified registry keys to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the service configurations. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts. +- Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" @@ -66,41 +106,6 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\System32\\WaaSMedicAgent.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Persistence via Services Registry - -Windows services are crucial for running background processes. Adversaries may exploit this by directly altering service registry keys to maintain persistence, bypassing standard APIs. The detection rule identifies such anomalies by monitoring changes to specific registry paths and filtering out legitimate processes, thus highlighting potential unauthorized service modifications indicative of malicious activity. - -### Possible investigation steps - -- Review the specific registry paths and values that triggered the alert, focusing on "ServiceDLL" and "ImagePath" within the specified registry paths to identify any unauthorized or suspicious modifications. -- Examine the process responsible for the registry change, paying attention to the process name and executable path, to determine if it is a known legitimate process or potentially malicious. -- Cross-reference the process executable path against the list of known legitimate paths excluded in the query to ensure it is not a false positive. -- Investigate the historical behavior of the process and any associated files or network activity to identify patterns indicative of malicious intent or persistence mechanisms. -- Check for any recent changes or anomalies in the system's service configurations that could correlate with the registry modifications, indicating potential unauthorized service creation or alteration. -- Consult threat intelligence sources or databases to determine if the process or registry changes are associated with known malware or adversary techniques. - -### False positive analysis - -- Legitimate software installations or updates may modify service registry keys directly. Users can create exceptions for known software update processes by excluding their executables from the detection rule. -- System maintenance tools like Process Explorer may trigger false positives when they interact with service registry keys. Exclude these tools by adding their process names and paths to the exception list. -- Drivers installed by trusted hardware peripherals might alter service registry keys. Users should identify and exclude these driver paths if they are known to be safe and frequently updated. -- Custom enterprise applications that require direct registry modifications for service management can be excluded by specifying their executable paths in the rule exceptions. -- Regular system processes such as svchost.exe or services.exe are already excluded, but ensure any custom scripts or automation tools that mimic these processes are also accounted for in the exceptions. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert that are not part of legitimate applications or services. -- Restore the modified registry keys to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the service configurations. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts. -- Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 8a9b9603c59..603f5136778 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies files written to or modified in the startup folder by commonly abused technique to maintain persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Startup Persistence by a Suspicious Process" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 84bfe1d5aba..2c10b53bf24 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies script engines creating files in the Startup folder, or the creation Adversaries may abuse this technique to maintain persistence in an environment. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistent Scripts in the Startup Directory" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 380f74446f4..fcea266ea46 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index ddea5aed90f..1fed06e31eb 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -15,6 +13,41 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Execution via Scheduled Task + +Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence and execution of malicious programs. By examining process lineage and command line usage, the detection rule identifies suspicious executions initiated by scheduled tasks. It flags known malicious executables and unusual file paths, while excluding benign processes, to pinpoint potential threats effectively. + +### Possible investigation steps + +- Review the process lineage to confirm the parent process is "svchost.exe" with arguments containing "Schedule" to verify the execution was initiated by a scheduled task. +- Examine the command line arguments and file paths of the suspicious process to identify any unusual or unauthorized file locations, such as those listed in the query (e.g., "C:\\Users\\*", "C:\\ProgramData\\*"). +- Check the original file name of the process against the list of known suspicious executables (e.g., "PowerShell.EXE", "Cmd.Exe") to determine if it matches any commonly abused binaries. +- Investigate the user context under which the process was executed, especially if it deviates from expected system accounts or known service accounts. +- Correlate the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack campaign. +- Assess the risk and impact of the detected activity by considering the severity and risk score provided, and determine if immediate containment or remediation actions are necessary. + +### False positive analysis + +- Scheduled tasks running legitimate scripts or executables like cmd.exe or cscript.exe in system directories may trigger false positives. To manage this, create exceptions for these processes when they are executed from known safe directories such as C:\\Windows\\System32. +- PowerShell scripts executed by the system account (S-1-5-18) for administrative tasks can be mistakenly flagged. Exclude these by specifying exceptions for PowerShell executions with arguments like -File or -PSConsoleFile when run by the system account. +- Legitimate software installations or updates using msiexec.exe by the system account may be incorrectly identified as threats. Mitigate this by excluding msiexec.exe processes initiated by the system account. +- Regular maintenance tasks or scripts stored in common directories like C:\\ProgramData or C:\\Windows\\Temp might be flagged. Review these tasks and exclude known benign scripts or executables from these paths. +- Custom scripts or administrative tools that mimic suspicious executables (e.g., PowerShell.EXE, RUNDLL32.EXE) but are part of routine operations should be reviewed and excluded if verified as safe. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity. +- Terminate any suspicious processes identified by the detection rule, especially those matching the flagged executables and paths. +- Conduct a thorough review of scheduled tasks on the affected system to identify and disable any unauthorized or suspicious tasks. +- Remove any malicious files or executables found in the suspicious paths listed in the detection rule. +- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future.""" references = [ "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] @@ -68,46 +101,18 @@ process where host.os.type == "windows" and event.type == "start" and "C:\\Windows\\Debug\\*", "C:\\HP\\*") and - not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and - not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and - not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and - not (process.name : "msiexec.exe" and user.id : "S-1-5-18") + not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and + not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and + not ( + process.name : "powershell.exe" and + process.args : ( + "-File", "-PSConsoleFile", + "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientV2Package.ps1", + "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1" + ) and user.id : "S-1-5-18" + ) and + not (process.name : "msiexec.exe" and user.id : "S-1-5-18") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Execution via Scheduled Task - -Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence and execution of malicious programs. By examining process lineage and command line usage, the detection rule identifies suspicious executions initiated by scheduled tasks. It flags known malicious executables and unusual file paths, while excluding benign processes, to pinpoint potential threats effectively. - -### Possible investigation steps - -- Review the process lineage to confirm the parent process is "svchost.exe" with arguments containing "Schedule" to verify the execution was initiated by a scheduled task. -- Examine the command line arguments and file paths of the suspicious process to identify any unusual or unauthorized file locations, such as those listed in the query (e.g., "C:\\Users\\*", "C:\\ProgramData\\*"). -- Check the original file name of the process against the list of known suspicious executables (e.g., "PowerShell.EXE", "Cmd.Exe") to determine if it matches any commonly abused binaries. -- Investigate the user context under which the process was executed, especially if it deviates from expected system accounts or known service accounts. -- Correlate the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack campaign. -- Assess the risk and impact of the detected activity by considering the severity and risk score provided, and determine if immediate containment or remediation actions are necessary. - -### False positive analysis - -- Scheduled tasks running legitimate scripts or executables like cmd.exe or cscript.exe in system directories may trigger false positives. To manage this, create exceptions for these processes when they are executed from known safe directories such as C:\\Windows\\System32. -- PowerShell scripts executed by the system account (S-1-5-18) for administrative tasks can be mistakenly flagged. Exclude these by specifying exceptions for PowerShell executions with arguments like -File or -PSConsoleFile when run by the system account. -- Legitimate software installations or updates using msiexec.exe by the system account may be incorrectly identified as threats. Mitigate this by excluding msiexec.exe processes initiated by the system account. -- Regular maintenance tasks or scripts stored in common directories like C:\\ProgramData or C:\\Windows\\Temp might be flagged. Review these tasks and exclude known benign scripts or executables from these paths. -- Custom scripts or administrative tools that mimic suspicious executables (e.g., PowerShell.EXE, RUNDLL32.EXE) but are part of routine operations should be reviewed and excluded if verified as safe. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity. -- Terminate any suspicious processes identified by the detection rule, especially those matching the flagged executables and paths. -- Conduct a thorough review of scheduled tasks on the affected system to identify and disable any unauthorized or suspicious tasks. -- Remove any malicious files or executables found in the suspicious paths listed in the detection rule. -- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future.""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index ff5705b38f7..2454a6a87a6 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,39 +11,17 @@ Identifies the creation of a suspicious ImagePath value. This could be an indica stealthily persist or escalate privileges through abnormal service creation. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious ImagePath Service Creation" -risk_score = 73 -rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.value : "ImagePath" and - registry.path : ( - "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", - "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" - ) and - /* add suspicious registry ImagePath values here */ - registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +57,35 @@ Windows services are crucial for running background processes. Adversaries explo - Review and restore any modified system files or configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly.""" +risk_score = 73 +rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.value : "ImagePath" and + registry.path : ( + "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" + ) and + /* add suspicious registry ImagePath values here */ + registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*") +''' [[rule.threat]] diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index c8428323a3a..f680eea696e 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/04/15" min_stack_version = "8.15.0" min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0." @@ -40,10 +40,10 @@ query = ''' any where ( (event.dataset == "windows.sysmon_operational" and event.code == "21" and - winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or + ?winlog.event_data.Operation : "Created" and ?winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or - (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and - process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) + (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and ?process.Ext.api.name == "IWbemServices::PutInstance" and + ?process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) ) ''' note = """## Triage and analysis diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2e166e46f76..2a0d907bce6 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -27,6 +25,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -136,7 +135,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -147,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 96814886632..5c5808caff6 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,26 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Temporarily Scheduled Task Creation" -references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] -risk_score = 47 -rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m - [iam where event.action == "scheduled-task-created" and not user.name : "*$"] - [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -72,6 +50,26 @@ Scheduled tasks in Windows environments automate routine tasks, but adversaries - Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. - Implement additional monitoring and alerting for similar scheduled task activities to enhance detection and prevent recurrence of this threat.""" +references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] +risk_score = 47 +rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m + [iam where event.action == "scheduled-task-created" and not user.name : "*$"] + [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] +''' [[rule.threat]] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 015261644dd..9b04b88b148 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,14 @@ network devices or clients in the network. Time providers are implemented in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Persistence via Time Provider Modification" diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 7b45616a7da..edcaee98237 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Skoetting"] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index dc9761a2517..2bab46a9d12 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 96d9b8692fb..1bfaa32f665 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,32 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" -risk_score = 21 -rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and - process.args : "?*" and - not (process.args : "-m" and process.args : "-bg") and - not process.args : "-mm" -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +61,32 @@ Application shimming is a Windows feature designed to ensure software compatibil - Review and restore any altered system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for `sdbinst.exe` executions across the network to detect and respond to future attempts at application shimming.""" +risk_score = 21 +rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and + process.args : "?*" and + not (process.args : "-m" and process.args : "-bg") and + not process.args : "-mm" +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 426b95c70fa..d5ed04b003e 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,32 +12,17 @@ that runs after a job finishes transferring data or after a job enters a specifi system. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Persistence via BITS Job Notify Cmdline" -references = [ - "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", - "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", - "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", -] -risk_score = 47 -rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "svchost.exe" and process.parent.args : "BITS" and - not process.executable : - ("?:\\Windows\\System32\\WerFaultSecure.exe", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\System32\\wermgr.exe", - "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +59,39 @@ Background Intelligent Transfer Service (BITS) is a Windows service that facilit - Update and run a full antivirus and anti-malware scan on the affected system to ensure no additional threats are present. - Review and enhance endpoint protection policies to prevent unauthorized use of BITS for persistence, ensuring that only trusted applications can create or modify BITS jobs. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", +] +risk_score = 47 +rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "svchost.exe" and process.parent.args : "BITS" and + not process.executable : + ("?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 293ceeb1f54..7efbfada45e 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon language = "eql" license = "Elastic License v2" name = "Persistence via Hidden Run Key Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Persistence via Hidden Run Key Detected + +The Windows Registry is a critical system database that stores configuration settings. Adversaries exploit it for persistence by creating hidden registry keys using native APIs, making them invisible to standard tools like regedit. The detection rule identifies changes in specific registry paths associated with startup programs, flagging null-terminated keys that suggest stealthy persistence tactics. + +### Possible investigation steps + +- Review the specific registry path where the change was detected to determine if it matches any of the paths listed in the query, such as "HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\" or "HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\". +- Check the timestamp of the registry change event to correlate it with other system activities or user actions that occurred around the same time. +- Investigate the process that made the registry change by examining process creation logs or using tools like Sysmon to identify the responsible process and its parent process. +- Analyze the content of the registry key value that was modified or created to determine if it points to a legitimate application or a potentially malicious executable. +- Cross-reference the detected registry change with known threat intelligence sources to identify if the key or value is associated with known malware or adversary techniques. +- Assess the affected system for additional indicators of compromise, such as unusual network connections, file modifications, or other persistence mechanisms. + +### False positive analysis + +- Legitimate software installations or updates may create registry keys in the specified paths, leading to false positives. Users can monitor the installation process and temporarily disable the rule during known software updates to prevent unnecessary alerts. +- System administrators may intentionally configure startup programs for maintenance or monitoring purposes. Document these configurations and create exceptions in the detection rule to avoid flagging them as threats. +- Some security software may use similar techniques to ensure their components start with the system. Verify the legitimacy of such software and whitelist their registry changes to prevent false alarms. +- Custom scripts or automation tools used within an organization might modify registry keys for operational reasons. Identify these scripts and exclude their activities from the detection rule to reduce false positives. +- Regularly review and update the list of known safe applications and processes that interact with the registry paths in question, ensuring that the detection rule remains relevant and accurate. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Use a trusted tool to manually inspect and remove the hidden registry keys identified in the alert from the specified registry paths to eliminate the persistence mechanism. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes associated with the threat. +- Review recent user activity and system logs to identify any unauthorized access or changes made by the adversary, and reset credentials for any compromised accounts. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution. +- Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths.""" references = [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf", @@ -63,41 +96,6 @@ registry where host.os.type == "windows" and event.type == "change" and length(r "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Persistence via Hidden Run Key Detected - -The Windows Registry is a critical system database that stores configuration settings. Adversaries exploit it for persistence by creating hidden registry keys using native APIs, making them invisible to standard tools like regedit. The detection rule identifies changes in specific registry paths associated with startup programs, flagging null-terminated keys that suggest stealthy persistence tactics. - -### Possible investigation steps - -- Review the specific registry path where the change was detected to determine if it matches any of the paths listed in the query, such as "HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\" or "HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\". -- Check the timestamp of the registry change event to correlate it with other system activities or user actions that occurred around the same time. -- Investigate the process that made the registry change by examining process creation logs or using tools like Sysmon to identify the responsible process and its parent process. -- Analyze the content of the registry key value that was modified or created to determine if it points to a legitimate application or a potentially malicious executable. -- Cross-reference the detected registry change with known threat intelligence sources to identify if the key or value is associated with known malware or adversary techniques. -- Assess the affected system for additional indicators of compromise, such as unusual network connections, file modifications, or other persistence mechanisms. - -### False positive analysis - -- Legitimate software installations or updates may create registry keys in the specified paths, leading to false positives. Users can monitor the installation process and temporarily disable the rule during known software updates to prevent unnecessary alerts. -- System administrators may intentionally configure startup programs for maintenance or monitoring purposes. Document these configurations and create exceptions in the detection rule to avoid flagging them as threats. -- Some security software may use similar techniques to ensure their components start with the system. Verify the legitimacy of such software and whitelist their registry changes to prevent false alarms. -- Custom scripts or automation tools used within an organization might modify registry keys for operational reasons. Identify these scripts and exclude their activities from the detection rule to reduce false positives. -- Regularly review and update the list of known safe applications and processes that interact with the registry paths in question, ensuring that the detection rule remains relevant and accurate. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Use a trusted tool to manually inspect and remove the hidden registry keys identified in the alert from the specified registry paths to eliminate the persistence mechanism. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes associated with the threat. -- Review recent user activity and system logs to identify any unauthorized access or changes made by the adversary, and reset credentials for any compromised accounts. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution. -- Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths.""" [[rule.threat]] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 3c6f26520bd..7e7855db2b0 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,41 +11,17 @@ Identifies registry modifications related to the Windows Security Support Provid abuse this to establish persistence in an environment. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Installation of Security Support Provider" -risk_score = 47 -rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*" - ) and - not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +57,37 @@ Security Support Providers (SSPs) in Windows environments facilitate authenticat - Review and update access controls and permissions to ensure that only authorized personnel can modify critical registry paths related to Security Support Providers. - Monitor the affected system and network for any signs of re-infection or further suspicious activity, focusing on registry changes and process executions. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +risk_score = 47 +rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*" + ) and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 84273532709..5ce887dd079 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,38 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] -risk_score = 73 -rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and - not process.name : ("conhost.exe", - "DeviceCensus.exe", - "CompatTelRunner.exe", - "DismHost.exe", - "rundll32.exe", - "powershell.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -94,6 +60,38 @@ The Microsoft Compatibility Appraiser, part of Windows telemetry, uses scheduled - Analyze the system for any unauthorized changes to user accounts or privileges, and revert any modifications to ensure that only legitimate users have access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar scheduled tasks across the network to detect any future attempts at hijacking or unauthorized modifications.""" +references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] +risk_score = 73 +rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and + not process.name : ("conhost.exe", + "DeviceCensus.exe", + "CompatTelRunner.exe", + "DismHost.exe", + "rundll32.exe", + "powershell.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index d13d6375a2e..4c77031fe53 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 43ae1cc412f..a064ad7db7c 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,34 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" -references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] -risk_score = 21 -rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and - process.args : "create" and - process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +59,34 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through manual remediation. - Update and patch the system to the latest security standards to mitigate any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] +risk_score = 21 +rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and + process.args : "create" and + process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index dd9983e07a8..9eadb3b1221 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 4178b2f6460..90a360e3537 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -145,9 +143,13 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -156,22 +158,18 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - - [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 799049a573b..1f028060f17 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,37 +11,16 @@ Identifies the registration of a Werfault Debugger. Attackers may abuse this mec every time the utility is executed with the "-pr" parameter. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Werfault ReflectDebugger Persistence" -references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"] -risk_score = 21 -rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", - "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", - "MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +55,33 @@ Werfault, the Windows Error Reporting service, can be manipulated by attackers t - Review and restore any system or application configurations that may have been altered by the attacker to their original state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for registry changes in the specified paths to detect and respond to similar threats in the future.""" +references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"] +risk_score = 21 +rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", + "MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 319ad43964c..cb2b7003290 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,36 +15,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Process Creation via Secondary Logon" -references = ["https://attack.mitre.org/techniques/T1134/002/"] -risk_score = 47 -rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" -setup = """## Setup - -Audit events 4624 and 4688 are needed to trigger this rule. -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by winlog.computer_name with maxspan=1m - -[authentication where event.action:"logged-in" and - event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and - - /* seclogon service */ - process.name == "svchost.exe" and - winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId - -[process where event.type == "start"] by winlog.event_data.TargetLogonId -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +49,36 @@ The Secondary Logon service in Windows allows users to run processes with differ - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Implement stricter access controls and monitoring on the Secondary Logon service to detect and prevent similar privilege escalation attempts in the future. - Update and reinforce endpoint detection and response (EDR) solutions to enhance monitoring of process creation events and logon activities, ensuring they are aligned with the latest threat intelligence.""" +references = ["https://attack.mitre.org/techniques/T1134/002/"] +risk_score = 47 +rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" +setup = """## Setup + +Audit events 4624 and 4688 are needed to trigger this rule. +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by winlog.computer_name with maxspan=1m + +[authentication where event.action:"logged-in" and + event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and + + /* seclogon service */ + process.name == "svchost.exe" and + winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId + +[process where event.type == "start"] by winlog.event_data.TargetLogonId +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 077e046095e..26301237aab 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,41 @@ index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Modification of the msPKIAccountCredentials" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Modification of the msPKIAccountCredentials + +The msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. Adversaries may exploit this by altering the attribute to escalate privileges, potentially overwriting files. The detection rule identifies such modifications by monitoring specific directory service events, focusing on changes to this attribute, excluding actions by the system account, thus highlighting unauthorized access attempts. + +### Possible investigation steps + +- Review the event logs for the specific event code 5136 to gather details about the modification event, including the timestamp and the user account involved. +- Examine the winlog.event_data.SubjectUserSid field to identify the user who attempted the modification, ensuring it is not the system account (S-1-5-18). +- Investigate the history and behavior of the identified user account to determine if there are any previous suspicious activities or anomalies. +- Check for any recent changes or anomalies in the affected Active Directory User Object, focusing on the msPKIAccountCredentials attribute. +- Assess the potential impact of the modification by identifying any files or systems that may have been affected by the altered credentials. +- Correlate this event with other security alerts or logs to identify any patterns or coordinated activities that might indicate a broader attack. + +### False positive analysis + +- Routine administrative tasks by IT personnel may trigger the rule. To manage this, create exceptions for specific user accounts or groups known to perform these tasks regularly. +- Scheduled maintenance scripts or automated processes that modify Active Directory attributes could be mistaken for unauthorized changes. Identify these processes and exclude their associated user accounts or service accounts from the rule. +- Software updates or installations that require changes to user credentials might cause false positives. Document these events and adjust the rule to ignore modifications during known update windows. +- Legitimate changes made by third-party applications integrated with Active Directory can be flagged. Review and whitelist these applications by excluding their associated user accounts or service accounts. +- Temporary changes during incident response or security audits may appear suspicious. Coordinate with security teams to ensure these activities are recognized and excluded from triggering alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Revoke any potentially compromised certificates and private keys associated with the affected msPKIAccountCredentials attribute to prevent misuse. +- Conduct a thorough review of recent changes in Active Directory, focusing on the msPKIAccountCredentials attribute, to identify any unauthorized modifications or access patterns. +- Reset passwords and regenerate keys for any accounts or services that may have been affected to ensure that compromised credentials are no longer valid. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. +- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activity or attempts to exploit similar vulnerabilities. +- Review and update access controls and permissions in Active Directory to ensure that only authorized personnel have the ability to modify sensitive attributes like msPKIAccountCredentials.""" references = [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", @@ -61,41 +94,6 @@ event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCr winlog.event_data.OperationType:"%%14674" and not winlog.event_data.SubjectUserSid : "S-1-5-18" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Modification of the msPKIAccountCredentials - -The msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. Adversaries may exploit this by altering the attribute to escalate privileges, potentially overwriting files. The detection rule identifies such modifications by monitoring specific directory service events, focusing on changes to this attribute, excluding actions by the system account, thus highlighting unauthorized access attempts. - -### Possible investigation steps - -- Review the event logs for the specific event code 5136 to gather details about the modification event, including the timestamp and the user account involved. -- Examine the winlog.event_data.SubjectUserSid field to identify the user who attempted the modification, ensuring it is not the system account (S-1-5-18). -- Investigate the history and behavior of the identified user account to determine if there are any previous suspicious activities or anomalies. -- Check for any recent changes or anomalies in the affected Active Directory User Object, focusing on the msPKIAccountCredentials attribute. -- Assess the potential impact of the modification by identifying any files or systems that may have been affected by the altered credentials. -- Correlate this event with other security alerts or logs to identify any patterns or coordinated activities that might indicate a broader attack. - -### False positive analysis - -- Routine administrative tasks by IT personnel may trigger the rule. To manage this, create exceptions for specific user accounts or groups known to perform these tasks regularly. -- Scheduled maintenance scripts or automated processes that modify Active Directory attributes could be mistaken for unauthorized changes. Identify these processes and exclude their associated user accounts or service accounts from the rule. -- Software updates or installations that require changes to user credentials might cause false positives. Document these events and adjust the rule to ignore modifications during known update windows. -- Legitimate changes made by third-party applications integrated with Active Directory can be flagged. Review and whitelist these applications by excluding their associated user accounts or service accounts. -- Temporary changes during incident response or security audits may appear suspicious. Coordinate with security teams to ensure these activities are recognized and excluded from triggering alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Revoke any potentially compromised certificates and private keys associated with the affected msPKIAccountCredentials attribute to prevent misuse. -- Conduct a thorough review of recent changes in Active Directory, focusing on the msPKIAccountCredentials attribute, to identify any unauthorized modifications or access patterns. -- Reset passwords and regenerate keys for any accounts or services that may have been affected to ensure that compromised credentials are no longer valid. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. -- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activity or attempts to exploit similar vulnerabilities. -- Review and update access controls and permissions in Active Directory to ensure that only authorized personnel have the ability to modify sensitive attributes like msPKIAccountCredentials.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 430416e2605..5050cd20f77 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,14 @@ administrator-level access to the system. This rule identifies registry value ch (UAC) protection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Disabling User Account Control via Registry Modification" diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 00b8597b887..45a02549dbd 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,33 +15,6 @@ index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Unsigned DLL loaded by DNS Service" -references = [ - "https://cube0x0.github.io/Pocing-Beyond-DA/", - "https://adsecurity.org/?p=4064", - "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll" -] -risk_score = 47 -rule_id = "5d676480-9655-4507-adc6-4eec311efff8" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and event.category : ("library", "process") and - event.type : ("start", "change") and event.action : ("load", "Image loaded*") and - process.executable : "?:\\windows\\system32\\dns.exe" and - not ?dll.code_signature.trusted == true and - not file.code_signature.status == "Valid" -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +51,33 @@ The DNS service in Windows environments is crucial for resolving domain names to - Review and update the system's security patches and configurations to address any vulnerabilities that may have been exploited, particularly those related to privilege escalation. - Monitor the system and network for any signs of continued or repeated unauthorized activity, focusing on similar indicators of compromise. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the threat and actions taken for further investigation and response.""" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://adsecurity.org/?p=4064", + "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll", +] +risk_score = 47 +rule_id = "5d676480-9655-4507-adc6-4eec311efff8" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.category : ("library", "process") and + event.type : ("start", "change") and event.action : ("load", "Image loaded*") and + process.executable : "?:\\windows\\system32\\dns.exe" and + not ?dll.code_signature.trusted == true and + not file.code_signature.status == "Valid" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 760a2e136ca..0a3ae8c0dc7 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,48 +2,23 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential privilege escalation via CVE-2022-38028" -references = [ - "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", -] -risk_score = 73 -rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.name : "MPDW-constraints.js" and - file.path : ( - "?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js", - "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -79,6 +54,36 @@ CVE-2022-38028 targets the Windows Print Spooler service, a core component manag - Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations. - Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules. - Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken.""" +references = [ + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", +] +risk_score = 73 +rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.name : "MPDW-constraints.js" and + file.path : ( + "?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js", + "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 422f24a07d1..83c8fad1aea 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,38 +12,17 @@ legitimate system administration, but can also be abused by an attacker with dom malicious payload remotely on all or a subset of the domain joined machines. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Creation or Modification of a new GPO Scheduled Task or Service" -risk_score = 21 -rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and - file.name : ("ScheduledTasks.xml", "Services.xml") and - file.path : ( - "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", - "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml" - ) and - not process.executable : "C:\\Windows\\System32\\dfsrs.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +58,34 @@ Group Policy Objects (GPOs) are crucial for centralized management in Windows en - Notify the security operations center (SOC) and escalate the incident to the incident response team for further investigation and to determine the scope of the compromise. - Implement additional monitoring on GPO paths and domain admin activities to detect any further unauthorized changes or suspicious behavior. - Review and strengthen access controls and auditing policies for GPO management to prevent unauthorized modifications in the future.""" +risk_score = 21 +rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and + file.name : ("ScheduledTasks.xml", "Services.xml") and + file.path : ( + "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", + "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml" + ) and + not process.executable : "C:\\Windows\\System32\\dfsrs.exe" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 5fc487de6eb..1c705e82d44 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 7caac286ad8..c7f65c3e78f 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index b3450e863b0..1542e312846 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 4572988bf9b..e9a7cdaea62 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,39 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Service Creation via Local Kerberos Authentication" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Service Creation via Local Kerberos Authentication + +Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications. In Windows environments, it is often used for secure identity verification. Adversaries may exploit Kerberos by relaying authentication tickets locally to escalate privileges, potentially creating services with elevated rights. The detection rule identifies suspicious local logons using Kerberos, followed by service creation, indicating possible misuse. By monitoring specific logon events and service installations, it helps detect unauthorized privilege escalation attempts. + +### Possible investigation steps + +- Review the event logs for the specific LogonId identified in the alert to gather details about the logon session, including the user account involved and the time of the logon event. +- Examine the source IP address and port from the logon event to confirm it matches the localhost (127.0.0.1 or ::1) and determine if this aligns with expected behavior for the user or system. +- Investigate the service creation event (event ID 4697) associated with the same LogonId to identify the service name, executable path, and any related command-line arguments to assess if it is legitimate or potentially malicious. +- Check for any recent changes or anomalies in the system or user account, such as modifications to user privileges, group memberships, or recent software installations, that could indicate unauthorized activity. +- Correlate the findings with other security alerts or logs from the same timeframe to identify any patterns or additional indicators of compromise that may suggest a broader attack or compromise. + +### False positive analysis + +- Routine administrative tasks may trigger the rule if administrators frequently log in locally using Kerberos and create services as part of their duties. To manage this, create exceptions for known administrative accounts or specific service creation activities that are part of regular maintenance. +- Automated scripts or software updates that use Kerberos authentication and subsequently install or update services can also generate false positives. Identify these scripts or update processes and exclude their associated logon IDs from the rule. +- Security software or monitoring tools that perform regular checks and use Kerberos for authentication might inadvertently trigger the rule. Review the behavior of these tools and whitelist their activities if they are verified as non-threatening. +- In environments where localhost is used for testing or development purposes, developers might log in using Kerberos and create services. Consider excluding specific development machines or user accounts from the rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation. +- Terminate any suspicious services created during the incident to halt potential malicious activities. +- Conduct a thorough review of the affected system's event logs, focusing on the specific LogonId and service creation events to identify the scope of the compromise. +- Reset the credentials of the compromised user account and any other accounts that may have been accessed using the relayed Kerberos tickets. +- Apply patches and updates to the affected system and any other systems in the network to address known vulnerabilities that could be exploited in similar attacks. +- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of privilege escalation. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" references = [ "https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", @@ -55,39 +86,6 @@ sequence by winlog.computer_name with maxspan=5m /* event 4697 need to be logged */ event.action : "service-installed"] by winlog.event_data.SubjectLogonId ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Service Creation via Local Kerberos Authentication - -Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications. In Windows environments, it is often used for secure identity verification. Adversaries may exploit Kerberos by relaying authentication tickets locally to escalate privileges, potentially creating services with elevated rights. The detection rule identifies suspicious local logons using Kerberos, followed by service creation, indicating possible misuse. By monitoring specific logon events and service installations, it helps detect unauthorized privilege escalation attempts. - -### Possible investigation steps - -- Review the event logs for the specific LogonId identified in the alert to gather details about the logon session, including the user account involved and the time of the logon event. -- Examine the source IP address and port from the logon event to confirm it matches the localhost (127.0.0.1 or ::1) and determine if this aligns with expected behavior for the user or system. -- Investigate the service creation event (event ID 4697) associated with the same LogonId to identify the service name, executable path, and any related command-line arguments to assess if it is legitimate or potentially malicious. -- Check for any recent changes or anomalies in the system or user account, such as modifications to user privileges, group memberships, or recent software installations, that could indicate unauthorized activity. -- Correlate the findings with other security alerts or logs from the same timeframe to identify any patterns or additional indicators of compromise that may suggest a broader attack or compromise. - -### False positive analysis - -- Routine administrative tasks may trigger the rule if administrators frequently log in locally using Kerberos and create services as part of their duties. To manage this, create exceptions for known administrative accounts or specific service creation activities that are part of regular maintenance. -- Automated scripts or software updates that use Kerberos authentication and subsequently install or update services can also generate false positives. Identify these scripts or update processes and exclude their associated logon IDs from the rule. -- Security software or monitoring tools that perform regular checks and use Kerberos for authentication might inadvertently trigger the rule. Review the behavior of these tools and whitelist their activities if they are verified as non-threatening. -- In environments where localhost is used for testing or development purposes, developers might log in using Kerberos and create services. Consider excluding specific development machines or user accounts from the rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation. -- Terminate any suspicious services created during the incident to halt potential malicious activities. -- Conduct a thorough review of the affected system's event logs, focusing on the specific LogonId and service creation events to identify the scope of the compromise. -- Reset the credentials of the compromised user account and any other accounts that may have been accessed using the relayed Kerberos tickets. -- Apply patches and updates to the affected system and any other systems in the network to address known vulnerabilities that could be exploited in similar attacks. -- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of privilege escalation. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 512bcab7e15..291c41803d3 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,9 +2,7 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,39 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Interactive Logon by an Unusual Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Interactive Logon by an Unusual Process + +Interactive logons in Windows environments typically involve standard processes like winlogon.exe. Adversaries may exploit alternate processes to create tokens, escalating privileges and bypassing controls. This detection rule identifies anomalies by flagging logons via non-standard executables, focusing on mismatched user SIDs and unusual process paths, thus highlighting potential privilege escalation attempts. + +### Possible investigation steps + +- Review the process executable path to determine if it is a known or expected application for interactive logons. Investigate any unfamiliar or suspicious paths. +- Examine the SubjectUserSid and TargetUserSid to identify the users involved in the logon attempt. Check for any discrepancies or unusual patterns in user activity. +- Analyze the event logs around the time of the alert to identify any related or preceding events that might indicate how the unusual process was initiated. +- Investigate the system for any signs of compromise, such as unexpected changes in system files, unauthorized software installations, or other indicators of malicious activity. +- Check for any recent privilege escalation attempts or access token manipulations that might correlate with the alert, using the MITRE ATT&CK framework references for guidance. + +### False positive analysis + +- Legitimate administrative tools or scripts may trigger this rule if they use non-standard executables for logon processes. To manage this, identify and whitelist these known tools by adding their executable paths to the exception list. +- Custom applications developed in-house that require interactive logon might be flagged. Review these applications and, if verified as safe, exclude their executable paths from the detection rule. +- Automated tasks or services that use alternate credentials for legitimate purposes can cause false positives. Analyze these tasks and, if they are part of regular operations, adjust the rule to exclude their specific user SIDs or executable paths. +- Security software or monitoring tools that perform logon actions for scanning or auditing purposes may be incorrectly flagged. Confirm their legitimacy and add them to the exception list to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified as executing from non-standard paths that are not part of the legitimate Windows system processes. +- Revoke any tokens or credentials associated with the anomalous logon session to prevent further misuse. +- Conduct a thorough review of user accounts involved, focusing on any unauthorized privilege escalations or changes in permissions, and reset passwords as necessary. +- Analyze the system for any signs of persistence mechanisms or additional malware, and remove any identified threats. +- Restore the system from a known good backup if any unauthorized changes or malware are detected that cannot be easily remediated. +- Report the incident to the appropriate internal security team or management for further investigation and potential escalation to law enforcement if necessary.""" references = ["https://attack.mitre.org/techniques/T1134/002/"] risk_score = 73 rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad" @@ -51,39 +82,6 @@ authentication where "?:\\Windows\\System32\\inetsrv\\w3wp.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Interactive Logon by an Unusual Process - -Interactive logons in Windows environments typically involve standard processes like winlogon.exe. Adversaries may exploit alternate processes to create tokens, escalating privileges and bypassing controls. This detection rule identifies anomalies by flagging logons via non-standard executables, focusing on mismatched user SIDs and unusual process paths, thus highlighting potential privilege escalation attempts. - -### Possible investigation steps - -- Review the process executable path to determine if it is a known or expected application for interactive logons. Investigate any unfamiliar or suspicious paths. -- Examine the SubjectUserSid and TargetUserSid to identify the users involved in the logon attempt. Check for any discrepancies or unusual patterns in user activity. -- Analyze the event logs around the time of the alert to identify any related or preceding events that might indicate how the unusual process was initiated. -- Investigate the system for any signs of compromise, such as unexpected changes in system files, unauthorized software installations, or other indicators of malicious activity. -- Check for any recent privilege escalation attempts or access token manipulations that might correlate with the alert, using the MITRE ATT&CK framework references for guidance. - -### False positive analysis - -- Legitimate administrative tools or scripts may trigger this rule if they use non-standard executables for logon processes. To manage this, identify and whitelist these known tools by adding their executable paths to the exception list. -- Custom applications developed in-house that require interactive logon might be flagged. Review these applications and, if verified as safe, exclude their executable paths from the detection rule. -- Automated tasks or services that use alternate credentials for legitimate purposes can cause false positives. Analyze these tasks and, if they are part of regular operations, adjust the rule to exclude their specific user SIDs or executable paths. -- Security software or monitoring tools that perform logon actions for scanning or auditing purposes may be incorrectly flagged. Confirm their legitimacy and add them to the exception list to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious processes identified as executing from non-standard paths that are not part of the legitimate Windows system processes. -- Revoke any tokens or credentials associated with the anomalous logon session to prevent further misuse. -- Conduct a thorough review of user accounts involved, focusing on any unauthorized privilege escalations or changes in permissions, and reset passwords as necessary. -- Analyze the system for any signs of persistence mechanisms or additional malware, and remove any identified threats. -- Restore the system from a known good backup if any unauthorized changes or malware are detected that cannot be easily remediated. -- Report the incident to the appropriate internal security team or management for further investigation and potential escalation to law enforcement if necessary.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 962de6246e1..8302d80474b 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -2,20 +2,14 @@ creation_date = "2024/09/12" integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. -This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup. +Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This +may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup. """ -references = [ - "https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/", - "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014" -] from = "now-9m" index = [ "winlogbeat-*", @@ -23,35 +17,11 @@ index = [ "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" + "logs-m365_defender.event-*", ] language = "eql" license = "Elastic License v2" name = "Potential Escalation via Vulnerable MSI Repair" -risk_score = 73 -rule_id = "043d80a3-c49e-43ef-9c72-1088f0c7b278" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where event.type == "start" and host.os.type == "windows" and - user.domain : ("NT AUTHORITY", "AUTORITE NT", "AUTORIDADE NT") and - process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", - "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", "tor.exe", "safari.exe") and - process.parent.command_line : "*go.microsoft.com*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +56,35 @@ Windows Installer (MSI) is a service used for software installation and maintena - Restore the affected system from a known good backup if unauthorized changes or persistent threats are detected that cannot be easily remediated. - Monitor the network for any signs of similar exploitation attempts or related suspicious activities, using enhanced detection rules and threat intelligence feeds. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery efforts.""" +references = [ + "https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/", + "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014", +] +risk_score = 73 +rule_id = "043d80a3-c49e-43ef-9c72-1088f0c7b278" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and host.os.type == "windows" and + user.domain : ("NT AUTHORITY", "AUTORITE NT", "AUTORIDADE NT") and + process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", + "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", "tor.exe", "safari.exe") and + process.parent.command_line : "*go.microsoft.com*" +''' [[rule.threat]] @@ -100,8 +99,6 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,3 +116,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index b75be0c1682..17355c1cbf2 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 56562a07b0e..d0e6efc720a 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,17 +15,6 @@ index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen NewCredentials Logon Process" -references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] -risk_score = 47 -rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files* -''' note = """## Triage and analysis > **Disclaimer**: @@ -62,6 +49,24 @@ The NewCredentials logon type in Windows allows processes to impersonate a user - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring for similar suspicious logon activities across the network to detect and respond to potential future attempts promptly. - Review and update access control policies and token management practices to mitigate the risk of access token manipulation in the future.""" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] +risk_score = 47 +rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files* +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 6ae392c415a..cd692fd1c3d 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 4fb0bd7c876..a2b11219ba7 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 410f3e64a76..742afb6cc97 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,40 @@ index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_op language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler Point and Print DLL" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Print Spooler Point and Print DLL + +The Windows Print Spooler service manages print jobs and is integral to printing operations. Adversaries exploit vulnerabilities like CVE-2020-1030 to escalate privileges by loading malicious DLLs into the spooler process, which runs with SYSTEM-level permissions. The detection rule identifies suspicious registry modifications linked to the Print Spooler, indicating potential exploitation attempts by monitoring specific registry paths and data patterns. + +### Possible investigation steps + +- Review the registry paths specified in the alert to confirm any unauthorized modifications, focusing on the paths: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory and HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module. +- Check the registry data strings for any unexpected or suspicious DLLs located in C:\\Windows\\System32\\spool\\drivers\\x64\\4, which may indicate a malicious payload. +- Investigate the host identified by host.id to determine if there are any other signs of compromise or unusual activity, such as unexpected processes or network connections. +- Correlate the alert with other security events or logs from the same host to identify any related activities or patterns that could suggest a broader attack. +- Assess the system's patch level and update status to ensure that all known vulnerabilities, including CVE-2020-1030, have been addressed and mitigated. +- If a malicious DLL is confirmed, isolate the affected system to prevent further exploitation and begin remediation efforts, such as removing the malicious files and restoring the system to a known good state. + +### False positive analysis + +- Legitimate printer driver updates or installations may trigger the rule due to registry modifications in the specified paths. Users can create exceptions for known and trusted driver update processes to prevent false alerts. +- Custom print configurations by IT departments that modify the SpoolDirectory or CopyFiles registry paths might be flagged. Document and exclude these configurations if they are verified as safe and necessary for business operations. +- Automated scripts or software that manage printer settings and inadvertently modify the monitored registry paths can cause false positives. Identify and whitelist these scripts or applications after confirming their legitimacy. +- Third-party print management solutions that interact with the Print Spooler service may lead to false detections. Evaluate these solutions and exclude their known benign activities from the detection rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary. +- Terminate the Print Spooler service on the compromised system to stop any ongoing malicious activity and prevent further DLL loading. +- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any malicious DLLs or related files. +- Review and restore the registry paths identified in the detection query to their default values to ensure no malicious configurations remain. +- Apply the latest security patches and updates from Microsoft to address CVE-2020-1030 and other known vulnerabilities in the Print Spooler service. +- Monitor the network for any signs of similar exploitation attempts, focusing on the registry paths and data patterns specified in the detection rule. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", @@ -54,40 +86,6 @@ sequence by host.id with maxspan=30s ) and registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Print Spooler Point and Print DLL - -The Windows Print Spooler service manages print jobs and is integral to printing operations. Adversaries exploit vulnerabilities like CVE-2020-1030 to escalate privileges by loading malicious DLLs into the spooler process, which runs with SYSTEM-level permissions. The detection rule identifies suspicious registry modifications linked to the Print Spooler, indicating potential exploitation attempts by monitoring specific registry paths and data patterns. - -### Possible investigation steps - -- Review the registry paths specified in the alert to confirm any unauthorized modifications, focusing on the paths: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory and HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module. -- Check the registry data strings for any unexpected or suspicious DLLs located in C:\\Windows\\System32\\spool\\drivers\\x64\\4, which may indicate a malicious payload. -- Investigate the host identified by host.id to determine if there are any other signs of compromise or unusual activity, such as unexpected processes or network connections. -- Correlate the alert with other security events or logs from the same host to identify any related activities or patterns that could suggest a broader attack. -- Assess the system's patch level and update status to ensure that all known vulnerabilities, including CVE-2020-1030, have been addressed and mitigated. -- If a malicious DLL is confirmed, isolate the affected system to prevent further exploitation and begin remediation efforts, such as removing the malicious files and restoring the system to a known good state. - -### False positive analysis - -- Legitimate printer driver updates or installations may trigger the rule due to registry modifications in the specified paths. Users can create exceptions for known and trusted driver update processes to prevent false alerts. -- Custom print configurations by IT departments that modify the SpoolDirectory or CopyFiles registry paths might be flagged. Document and exclude these configurations if they are verified as safe and necessary for business operations. -- Automated scripts or software that manage printer settings and inadvertently modify the monitored registry paths can cause false positives. Identify and whitelist these scripts or applications after confirming their legitimacy. -- Third-party print management solutions that interact with the Print Spooler service may lead to false detections. Evaluate these solutions and exclude their known benign activities from the detection rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary. -- Terminate the Print Spooler service on the compromised system to stop any ongoing malicious activity and prevent further DLL loading. -- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any malicious DLLs or related files. -- Review and restore the registry paths identified in the detection query to their default values to ensure no malicious configurations remain. -- Apply the latest security patches and updates from Microsoft to address CVE-2020-1030 and other known vulnerabilities in the Print Spooler service. -- Monitor the network for any signs of similar exploitation attempts, focusing on the registry paths and data patterns specified in the detection rule. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 30d052601d3..5fd974a8857 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,33 +23,6 @@ index = [ language = "kuery" license = "Elastic License v2" name = "Suspicious PrintSpooler Service Executable File Creation" -references = [ - "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", - "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files", -] -risk_score = 21 -rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.category : "file" and host.os.type : "windows" and event.type : "creation" and - process.name : "spoolsv.exe" and file.extension : "dll" -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,56 +57,84 @@ The Print Spooler service in Windows manages print jobs, but vulnerabilities lik - Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred. - Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response.""" +references = [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files", +] +risk_score = 21 +rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category : "file" and host.os.type : "windows" and event.type : "creation" and + process.name : "spoolsv.exe" and file.extension : "dll" +''' + [[rule.filters]] + [rule.filters.meta] negate = false [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\Sys?????\\\\*" - +case_insensitive = true +value = "?:\\\\Windows\\\\Sys?????\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll" - +case_insensitive = true +value = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll" - +case_insensitive = true +value = "?:\\Windows\\Sys?????\\u005lrs.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll" - +case_insensitive = true +value = "?:\\Windows\\system32\\spool\\DRIVERS\\u0064\\\\*.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll" - +case_insensitive = true +value = "?:\\Windows\\system32\\spool\\PRTPROCS\\u0064\\\\*.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -155,3 +154,5 @@ value = ["host.id", "file.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index a4d9dff6d29..75067c258a1 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,35 +17,17 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler File Deletion" -references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] -risk_score = 47 -rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type == "deletion" and - file.extension : "dll" and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" and - not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +62,31 @@ The Print Spooler service in Windows manages print jobs and interactions with pr - Apply the latest security patches and updates to the Print Spooler service and related components to mitigate known vulnerabilities. - Monitor the affected system and network for any signs of further suspicious activity, focusing on similar file deletion patterns or privilege escalation attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] +risk_score = 47 +rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "deletion" and + file.extension : "dll" and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" and + not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index 12a9f06a241..348e56d1e71 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,9 +16,42 @@ index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Service ImagePath Modification" -references = [ - "https://cube0x0.github.io/Pocing-Beyond-DA/" -] +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Privilege Escalation via Service ImagePath Modification + +Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts. + +### Possible investigation steps + +- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\\LanmanServer, *\\Winmgmt). +- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\\system32\\. +- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy. +- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group. +- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions. +- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise. + +### False positive analysis + +- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives. +- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths. +- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts. +- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection. +- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory. +- Restore the modified ImagePath registry key to its original state using a known good configuration or backup. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms. +- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly.""" +references = ["https://cube0x0.github.io/Pocing-Beyond-DA/"] risk_score = 47 rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b" severity = "medium" @@ -32,7 +63,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" @@ -88,41 +119,6 @@ registry where host.os.type == "windows" and event.type == "change" and process. ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Privilege Escalation via Service ImagePath Modification - -Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts. - -### Possible investigation steps - -- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\\LanmanServer, *\\Winmgmt). -- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\\system32\\. -- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy. -- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group. -- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions. -- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise. - -### False positive analysis - -- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives. -- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths. -- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts. -- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection. -- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory. -- Restore the modified ImagePath registry key to its original state using a known good configuration or backup. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms. -- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly.""" [[rule.threat]] @@ -136,6 +132,7 @@ id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -151,9 +148,6 @@ reference = "https://attack.mitre.org/techniques/T1574/011/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index fb4436a95de..e47c1e19ca6 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,46 +11,17 @@ Identifies a privilege escalation attempt via a rogue Windows directory (Windir) primitive that is often combined with other vulnerabilities to elevate privileges. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Windir Environment Variable" -references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"] -risk_score = 73 -rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and -registry.value : ("windir", "systemroot") and -registry.path : ( - "HKEY_USERS\\*\\Environment\\windir", - "HKEY_USERS\\*\\Environment\\systemroot", - "HKU\\*\\Environment\\windir", - "HKU\\*\\Environment\\systemroot", - "HKCU\\*\\Environment\\windir", - "HKCU\\*\\Environment\\systemroot", - "\\REGISTRY\\USER\\*\\Environment\\windir", - "\\REGISTRY\\USER\\*\\Environment\\systemroot", - "USER\\*\\Environment\\windir", - "USER\\*\\Environment\\systemroot" - ) and - not registry.data.strings : ("C:\\windows", "%SystemRoot%") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +58,42 @@ The Windir environment variable points to the Windows directory, crucial for sys - Reset passwords for any user accounts that may have been compromised, especially those with elevated privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to alter critical environment variables or other suspicious activities.""" +references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"] +risk_score = 73 +rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and +registry.value : ("windir", "systemroot") and +registry.path : ( + "HKEY_USERS\\*\\Environment\\windir", + "HKEY_USERS\\*\\Environment\\systemroot", + "HKU\\*\\Environment\\windir", + "HKU\\*\\Environment\\systemroot", + "HKCU\\*\\Environment\\windir", + "HKCU\\*\\Environment\\systemroot", + "\\REGISTRY\\USER\\*\\Environment\\windir", + "\\REGISTRY\\USER\\*\\Environment\\systemroot", + "USER\\*\\Environment\\windir", + "USER\\*\\Environment\\systemroot" + ) and + not registry.data.strings : ("C:\\windows", "%SystemRoot%") +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 9e9d868ea5b..2b34ae9ac52 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,36 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Privileged Escalation via SamAccountName Spoofing" -references = [ - "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", - "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", - "https://github.com/cube0x0/noPac", - "https://twitter.com/exploitph/status/1469157138928914432", - "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", -] -risk_score = 73 -rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.action == "renamed-user-account" and - /* machine account name renamed to user like account name */ - winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +50,36 @@ In Active Directory environments, the samAccountName attribute is crucial for id - Apply the latest security patches and updates to all domain controllers and critical systems to mitigate vulnerabilities like CVE-2021-42278. - Enhance monitoring and logging for Active Directory events, specifically focusing on account renaming activities, to detect similar threats in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" +references = [ + "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/cube0x0/noPac", + "https://twitter.com/exploitph/status/1469157138928914432", + "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", +] +risk_score = 73 +rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.action == "renamed-user-account" and + /* machine account name renamed to user like account name */ + winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 1ab090ec688..c2d36fb1b78 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index da1c2f52123..4324c4d2b88 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,36 +17,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote Computer Account DnsHostName Update" -references = [ - "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923", -] -risk_score = 73 -rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.action == "changed-computer-account" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and - - /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */ - winlog.event_data.DnsHostName : "??*" and - - /* exclude FPs where DnsHostName starts with the ComputerName that was changed */ - not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1)) -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +52,36 @@ In Active Directory environments, the DnsHostName attribute links computer accou - Escalate the incident to the security operations team for further investigation and to assess potential exploitation of CVE-2022-26923 or other vulnerabilities. - Implement additional monitoring on the affected system and similar systems to detect any further suspicious activities or attempts to exploit vulnerabilities. - Review and update access controls and permissions for computer accounts in Active Directory to ensure only authorized personnel can make changes to critical attributes like DnsHostName.""" +references = [ + "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923", +] +risk_score = 73 +rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.action == "changed-computer-account" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and + + /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */ + winlog.event_data.DnsHostName : "??*" and + + /* exclude FPs where DnsHostName starts with the ComputerName that was changed */ + not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1)) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index c8f95b7f345..a6208c45254 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "SeDebugPrivilege Enabled by a Suspicious Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SeDebugPrivilege Enabled by a Suspicious Process + +SeDebugPrivilege is a powerful Windows privilege allowing processes to debug and modify other processes, typically reserved for system-level tasks. Adversaries exploit this to escalate privileges, bypassing security controls by impersonating system processes. The detection rule identifies suspicious processes enabling SeDebugPrivilege, excluding known legitimate processes, to flag potential privilege escalation attempts. + +### Possible investigation steps + +- Review the event logs for the specific event.provider "Microsoft-Windows-Security-Auditing" and event.action "Token Right Adjusted Events" to gather more details about the process that enabled SeDebugPrivilege. +- Identify the process name from winlog.event_data.ProcessName and determine if it is known or expected in the environment. Investigate any unknown or suspicious processes. +- Check the winlog.event_data.SubjectUserSid to identify the user account associated with the process. Investigate if this account has a history of suspicious activity or if it should have the ability to enable SeDebugPrivilege. +- Analyze the parent process of the suspicious process to understand how it was initiated and if it was spawned by a legitimate or malicious process. +- Correlate the timestamp of the event with other security events or alerts to identify any related activities or patterns that could indicate a broader attack or compromise. +- Investigate the network activity of the suspicious process to determine if it is communicating with any known malicious IP addresses or domains. + +### False positive analysis + +- Legitimate system maintenance tasks may trigger the rule, such as Windows Update or system diagnostics. Users can monitor the timing of these tasks and correlate them with alerts to determine if they are the cause. +- Software installations or updates using msiexec.exe might be flagged. Consider excluding msiexec.exe from the rule if it is frequently used in your environment for legitimate purposes. +- Administrative tools like taskhostw.exe and mmc.exe can sometimes enable SeDebugPrivilege during normal operations. Evaluate the necessity of these tools in your environment and exclude them if they are regularly used by trusted administrators. +- Temporary files created by legitimate applications, such as DismHost.exe in user temp directories, may be flagged. Review the context of these files and exclude them if they are part of routine application behavior. +- Regularly review and update the exclusion list to include any new legitimate processes that are identified as false positives, ensuring the rule remains effective without generating unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate the suspicious process identified in the alert to stop any ongoing malicious activity and prevent privilege escalation. +- Conduct a thorough review of the affected system's event logs, focusing on the "Token Right Adjusted Events" to identify any additional unauthorized privilege changes or suspicious activities. +- Reset credentials for any accounts that may have been compromised or used by the suspicious process, especially those with elevated privileges. +- Restore the affected system from a known good backup to ensure any malicious changes are removed and the system is returned to a secure state. +- Implement additional monitoring on the affected system and similar systems to detect any recurrence of the threat, focusing on processes attempting to enable SeDebugPrivilege. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", @@ -77,41 +110,6 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe", "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating SeDebugPrivilege Enabled by a Suspicious Process - -SeDebugPrivilege is a powerful Windows privilege allowing processes to debug and modify other processes, typically reserved for system-level tasks. Adversaries exploit this to escalate privileges, bypassing security controls by impersonating system processes. The detection rule identifies suspicious processes enabling SeDebugPrivilege, excluding known legitimate processes, to flag potential privilege escalation attempts. - -### Possible investigation steps - -- Review the event logs for the specific event.provider "Microsoft-Windows-Security-Auditing" and event.action "Token Right Adjusted Events" to gather more details about the process that enabled SeDebugPrivilege. -- Identify the process name from winlog.event_data.ProcessName and determine if it is known or expected in the environment. Investigate any unknown or suspicious processes. -- Check the winlog.event_data.SubjectUserSid to identify the user account associated with the process. Investigate if this account has a history of suspicious activity or if it should have the ability to enable SeDebugPrivilege. -- Analyze the parent process of the suspicious process to understand how it was initiated and if it was spawned by a legitimate or malicious process. -- Correlate the timestamp of the event with other security events or alerts to identify any related activities or patterns that could indicate a broader attack or compromise. -- Investigate the network activity of the suspicious process to determine if it is communicating with any known malicious IP addresses or domains. - -### False positive analysis - -- Legitimate system maintenance tasks may trigger the rule, such as Windows Update or system diagnostics. Users can monitor the timing of these tasks and correlate them with alerts to determine if they are the cause. -- Software installations or updates using msiexec.exe might be flagged. Consider excluding msiexec.exe from the rule if it is frequently used in your environment for legitimate purposes. -- Administrative tools like taskhostw.exe and mmc.exe can sometimes enable SeDebugPrivilege during normal operations. Evaluate the necessity of these tools in your environment and exclude them if they are regularly used by trusted administrators. -- Temporary files created by legitimate applications, such as DismHost.exe in user temp directories, may be flagged. Review the context of these files and exclude them if they are part of routine application behavior. -- Regularly review and update the exclusion list to include any new legitimate processes that are identified as false positives, ensuring the rule remains effective without generating unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate the suspicious process identified in the alert to stop any ongoing malicious activity and prevent privilege escalation. -- Conduct a thorough review of the affected system's event logs, focusing on the "Token Right Adjusted Events" to identify any additional unauthorized privilege changes or suspicious activities. -- Reset credentials for any accounts that may have been compromised or used by the suspicious process, especially those with elevated privileges. -- Restore the affected system from a known good backup to ensure any malicious changes are removed and the system is returned to a secure state. -- Implement additional monitoring on the affected system and similar systems to detect any recurrence of the threat, focusing on processes attempting to enable SeDebugPrivilege. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index db3e02e1630..4f92ccdc7c3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,37 +11,17 @@ Identifies attempts to bypass User Account Control (UAC) by abusing an elevated ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" -references = ["https://github.com/hfiref0x/UACME"] -risk_score = 73 -rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and - not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and - /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ - process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" -''' note = """## Triage and analysis > **Disclaimer**: @@ -79,6 +57,33 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the operating system and all installed software to the latest versions to mitigate known vulnerabilities. - Implement application whitelisting to prevent unauthorized programs from executing, focusing on blocking non-standard paths for critical system executables. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = ["https://github.com/hfiref0x/UACME"] +risk_score = 73 +rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and + not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and + /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ + process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 37eb6ce566f..97b2898d655 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,39 +11,17 @@ Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" -references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] -risk_score = 47 -rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and - process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" - - /* uncomment once in winlogbeat */ - /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +58,35 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the affected system to the latest security updates to mitigate known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories. - Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" +references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] +risk_score = 47 +rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and + process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" + + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 336f80f317d..cc5a3e44aa3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,35 +11,16 @@ Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevate to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" -risk_score = 73 -rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name == "dllhost.exe" and - process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and - process.pe.original_file_name != "WerFault.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +56,31 @@ The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates Us - Update and patch the operating system and all installed software to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized applications from executing, focusing on blocking the execution of `dllhost.exe` with suspicious arguments. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +risk_score = 73 +rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name == "dllhost.exe" and + process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and + process.pe.original_file_name != "WerFault.exe" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index d7cc1793a86..4702999f40a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,40 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" -risk_score = 47 -rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.args : "/autoclean" and process.args : "/d" and process.executable != null and - not process.executable : ( - "C:\\Windows\\System32\\cleanmgr.exe", - "C:\\Windows\\SysWOW64\\cleanmgr.exe", - "C:\\Windows\\System32\\taskhostw.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\cleanmgr.exe", - "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\cleanmgr.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\taskhostw.exe" -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -97,6 +61,40 @@ User Account Control (UAC) is a security feature in Windows that helps prevent u - Update and patch the affected system to the latest security updates to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Monitor the affected system and network for any signs of recurring unauthorized activity or similar UAC bypass attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and process.executable != null and + not process.executable : ( + "C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\cleanmgr.exe", + "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\cleanmgr.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\taskhostw.exe" +) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index dc35aabe197..cf962445d86 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,40 +11,17 @@ Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. A stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface" -references = [ - "https://github.com/hfiref0x/UACME", - "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies", -] -risk_score = 73 -rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and - /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ - file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and - /* has no impact on rule logic just to avoid OS install related FPs */ - not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +58,36 @@ The IFileOperation COM interface is a Windows component used for file operations - Apply any pending security patches and updates to the operating system and installed software to mitigate known vulnerabilities. - Monitor the network for any signs of similar activity or attempts to exploit the IFileOperation COM interface on other systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies", +] +risk_score = 73 +rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and + /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ + file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and + /* has no impact on rule logic just to avoid OS install related FPs */ + not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index f2c7c23ecd7..3fa0c18ee15 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 41c0ca0acb8..43a347532f2 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 64b893efdb8..fa2fd7c192b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies attempts to bypass User Account Control (UAC) by hijacking the Micros Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass via Windows Firewall Snap-In Hijack" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index e833d27561b..c0971cf4928 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,32 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Exploitation of an Unquoted Service Path Vulnerability" -risk_score = 21 -rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ( - process.executable : "?:\\Program.exe" or - process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe""" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +58,32 @@ Unquoted service paths in Windows can be exploited by adversaries to escalate pr - Restore the affected system from a known good backup if malicious activity is confirmed and system integrity is compromised. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar suspicious activities across the network to detect and respond to future attempts promptly.""" +risk_score = 21 +rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ( + process.executable : "?:\\Program.exe" or + process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe""" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 8981cfca92b..5b21a32b1eb 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 1818cfcba80..de94d161c2a 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,40 +21,6 @@ index = ["logs-endpoint.events.process-*", "logs-system.security*", "logs-window language = "eql" license = "Elastic License v2" name = "Unusual Print Spooler Child Process" -references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] -risk_score = 47 -rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "spoolsv.exe" and process.command_line != null and - (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and - - /* exclusions for FP control below */ - not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and - not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and - not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and - not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and - not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and - not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and - not process.executable : ( - "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", - "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -94,6 +58,40 @@ The Print Spooler service, integral to Windows environments, manages print jobs - Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed. - Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] +risk_score = 47 +rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "spoolsv.exe" and process.command_line != null and + (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and + + /* exclusions for FP control below */ + not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and + not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and + not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and + not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and + not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and + not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and + not process.executable : ( + "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", + "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index d2e8805865a..5205c3c67f0 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,53 @@ This may indicate a code injection or an equivalent form of exploitation. """ false_positives = ["Changes to Windows services or a rarely executed child process."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Service Host Child Process - Childless Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Service Host Child Process - Childless Service + +Service Host (svchost.exe) is a critical Windows process that hosts multiple services to optimize resource usage. Typically, certain services under svchost.exe do not spawn child processes. Adversaries exploit this by injecting malicious code to execute unauthorized processes, evading detection. The detection rule identifies anomalies by monitoring child processes of traditionally childless services, flagging potential exploitation attempts. + +### Possible investigation steps + +- Review the process details of the child process, including its name and executable path, to determine if it is a known legitimate process or potentially malicious. +- Examine the parent process arguments to confirm if the svchost.exe instance is associated with a service that traditionally does not spawn child processes, as listed in the query. +- Check the process creation time and correlate it with any other suspicious activities or alerts in the system around the same timeframe. +- Investigate the user account under which the child process was executed to assess if it has the necessary privileges and if the activity aligns with typical user behavior. +- Analyze any network connections or file modifications made by the child process to identify potential malicious actions or data exfiltration attempts. +- Cross-reference the child process with known false positives listed in the query to rule out benign activities. +- Utilize threat intelligence sources to determine if the child process or its executable path is associated with known malware or attack patterns. + +### False positive analysis + +- Processes like WerFault.exe, WerFaultSecure.exe, and wermgr.exe are known to be legitimate Windows error reporting tools that may occasionally be spawned by svchost.exe. To handle these, add them to the exclusion list in the detection rule to prevent unnecessary alerts. +- RelPost.exe associated with WdiSystemHost can be a legitimate process in certain environments. If this is a common occurrence, consider adding an exception for this executable when it is spawned by WdiSystemHost. +- Rundll32.exe executing winethc.dll with ForceProxyDetectionOnNextRun arguments under WdiServiceHost may be a benign operation in some network configurations. If verified as non-malicious, exclude this specific process and argument combination. +- Processes under the imgsvc service, such as lexexe.exe from Kodak directories, might be legitimate in environments using specific imaging software. Validate these occurrences and exclude them if they are confirmed to be non-threatening. +- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious child processes spawned by svchost.exe that are not typically associated with legitimate operations, as identified in the alert. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any injected malicious code or associated malware. +- Review and analyze the process tree and parent-child relationships to understand the scope of the compromise and identify any additional affected processes or systems. +- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. +- Implement enhanced monitoring and logging for svchost.exe and related processes to detect similar anomalies in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.""" risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" severity = "medium" @@ -65,42 +106,6 @@ process where host.os.type == "windows" and event.type == "start" and ) and process.parent.args : "imgsvc" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Service Host Child Process - Childless Service - -Service Host (svchost.exe) is a critical Windows process that hosts multiple services to optimize resource usage. Typically, certain services under svchost.exe do not spawn child processes. Adversaries exploit this by injecting malicious code to execute unauthorized processes, evading detection. The detection rule identifies anomalies by monitoring child processes of traditionally childless services, flagging potential exploitation attempts. - -### Possible investigation steps - -- Review the process details of the child process, including its name and executable path, to determine if it is a known legitimate process or potentially malicious. -- Examine the parent process arguments to confirm if the svchost.exe instance is associated with a service that traditionally does not spawn child processes, as listed in the query. -- Check the process creation time and correlate it with any other suspicious activities or alerts in the system around the same timeframe. -- Investigate the user account under which the child process was executed to assess if it has the necessary privileges and if the activity aligns with typical user behavior. -- Analyze any network connections or file modifications made by the child process to identify potential malicious actions or data exfiltration attempts. -- Cross-reference the child process with known false positives listed in the query to rule out benign activities. -- Utilize threat intelligence sources to determine if the child process or its executable path is associated with known malware or attack patterns. - -### False positive analysis - -- Processes like WerFault.exe, WerFaultSecure.exe, and wermgr.exe are known to be legitimate Windows error reporting tools that may occasionally be spawned by svchost.exe. To handle these, add them to the exclusion list in the detection rule to prevent unnecessary alerts. -- RelPost.exe associated with WdiSystemHost can be a legitimate process in certain environments. If this is a common occurrence, consider adding an exception for this executable when it is spawned by WdiSystemHost. -- Rundll32.exe executing winethc.dll with ForceProxyDetectionOnNextRun arguments under WdiServiceHost may be a benign operation in some network configurations. If verified as non-malicious, exclude this specific process and argument combination. -- Processes under the imgsvc service, such as lexexe.exe from Kodak directories, might be legitimate in environments using specific imaging software. Validate these occurrences and exclude them if they are confirmed to be non-threatening. -- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious child processes spawned by svchost.exe that are not typically associated with legitimate operations, as identified in the alert. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any injected malicious code or associated malware. -- Review and analyze the process tree and parent-child relationships to understand the scope of the compromise and identify any additional affected processes or systems. -- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. -- Implement enhanced monitoring and logging for svchost.exe and related processes to detect similar anomalies in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 4dd46dd406e..a19567ca16a 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Rogue Named Pipe Impersonation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Privilege Escalation via Rogue Named Pipe Impersonation + +Named pipes in Windows facilitate inter-process communication, allowing data exchange between processes. Adversaries exploit this by creating rogue named pipes, tricking privileged processes into connecting and executing malicious actions under elevated privileges. The detection rule identifies suspicious named pipe creation events, focusing on patterns indicative of impersonation attempts, thus flagging potential privilege escalation activities. + +### Possible investigation steps + +- Review the event logs for the specific named pipe creation event identified by the query, focusing on the file.name field to determine the exact named pipe path and assess its legitimacy. +- Correlate the event with the process that created the named pipe by examining related process creation logs, identifying the process ID and executable responsible for the action. +- Investigate the user context under which the named pipe was created to determine if it aligns with expected behavior or if it indicates potential misuse of privileges. +- Check for any recent changes or anomalies in the system's configuration or user accounts that could suggest unauthorized access or privilege escalation attempts. +- Analyze historical data for similar named pipe creation events to identify patterns or repeated attempts that could indicate a persistent threat or ongoing attack. + +### False positive analysis + +- Legitimate software or system processes may create named pipes that match the detection pattern. Regularly review and whitelist known benign processes that frequently create named pipes to reduce noise. +- System management tools and monitoring software might generate named pipe creation events as part of their normal operation. Identify these tools and exclude their events from triggering alerts. +- Custom in-house applications that use named pipes for inter-process communication can trigger false positives. Work with development teams to document these applications and create exceptions for their activity. +- Scheduled tasks or scripts that run with elevated privileges and create named pipes could be mistaken for malicious activity. Ensure these tasks are documented and excluded from the detection rule. +- Security software or endpoint protection solutions may use named pipes for legitimate purposes. Verify these activities and adjust the rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes associated with the rogue named pipe to halt any ongoing malicious activities. +- Conduct a thorough review of the system's event logs, focusing on named pipe creation events, to identify any other potentially compromised processes or systems. +- Reset credentials for any accounts that may have been exposed or used in the privilege escalation attempt to prevent further unauthorized access. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Implement enhanced monitoring for named pipe creation events across the network to detect and respond to similar threats in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" references = [ "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", @@ -57,40 +89,6 @@ file where host.os.type == "windows" and /* Sysmon truncates the "Pipe" keyword in normal named pipe creation events */ file.name : "\\*\\Pipe\\*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Privilege Escalation via Rogue Named Pipe Impersonation - -Named pipes in Windows facilitate inter-process communication, allowing data exchange between processes. Adversaries exploit this by creating rogue named pipes, tricking privileged processes into connecting and executing malicious actions under elevated privileges. The detection rule identifies suspicious named pipe creation events, focusing on patterns indicative of impersonation attempts, thus flagging potential privilege escalation activities. - -### Possible investigation steps - -- Review the event logs for the specific named pipe creation event identified by the query, focusing on the file.name field to determine the exact named pipe path and assess its legitimacy. -- Correlate the event with the process that created the named pipe by examining related process creation logs, identifying the process ID and executable responsible for the action. -- Investigate the user context under which the named pipe was created to determine if it aligns with expected behavior or if it indicates potential misuse of privileges. -- Check for any recent changes or anomalies in the system's configuration or user accounts that could suggest unauthorized access or privilege escalation attempts. -- Analyze historical data for similar named pipe creation events to identify patterns or repeated attempts that could indicate a persistent threat or ongoing attack. - -### False positive analysis - -- Legitimate software or system processes may create named pipes that match the detection pattern. Regularly review and whitelist known benign processes that frequently create named pipes to reduce noise. -- System management tools and monitoring software might generate named pipe creation events as part of their normal operation. Identify these tools and exclude their events from triggering alerts. -- Custom in-house applications that use named pipes for inter-process communication can trigger false positives. Work with development teams to document these applications and create exceptions for their activity. -- Scheduled tasks or scripts that run with elevated privileges and create named pipes could be mistaken for malicious activity. Ensure these tasks are documented and excluded from the detection rule. -- Security software or endpoint protection solutions may use named pipes for legitimate purposes. Verify these activities and adjust the rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes associated with the rogue named pipe to halt any ongoing malicious activities. -- Conduct a thorough review of the system's event logs, focusing on named pipe creation events, to identify any other potentially compromised processes or systems. -- Reset credentials for any accounts that may have been exposed or used in the privilege escalation attempt to prevent further unauthorized access. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Implement enhanced monitoring for named pipe creation events across the network to detect and respond to similar threats in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index bb3ec426e4b..3f5256352a7 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Windows Service Installed via an Unusual Client" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Windows Service Installed via an Unusual Client + +Windows services are crucial for running background processes with elevated privileges. Adversaries exploit this by creating services to escalate privileges from administrator to SYSTEM. The detection rule identifies anomalies by flagging service installations initiated by atypical processes, excluding known legitimate services. This helps in spotting potential privilege escalation attempts by monitoring unusual client activity. + +### Possible investigation steps + +- Review the event logs to identify the specific client process that initiated the service installation by examining the winlog.event_data.ClientProcessId and winlog.event_data.ParentProcessId fields. +- Investigate the parent process associated with the unusual client process to determine if it is a known legitimate application or potentially malicious. +- Check the winlog.event_data.ServiceFileName to verify the path and name of the service file, ensuring it is not a known legitimate service excluded in the query. +- Analyze the timeline of events around the service installation to identify any preceding suspicious activities or related alerts that might indicate a broader attack. +- Conduct a reputation check on the client process and service file using threat intelligence sources to assess if they are associated with known malicious activities. +- Examine the system for any additional indicators of compromise, such as unexpected network connections or changes to critical system files, that may suggest privilege escalation or lateral movement attempts. + +### False positive analysis + +- Legitimate software installations or updates may trigger the rule if they create services using unusual client processes. To manage this, identify and whitelist these processes in the detection rule to prevent unnecessary alerts. +- System management tools like Veeam and PDQ Inventory are already excluded, but other similar tools might not be. Regularly review and update the exclusion list to include any additional legitimate tools used in your environment. +- Custom scripts or administrative tools that create services for maintenance or monitoring purposes can also cause false positives. Document these scripts and consider adding them to the exclusion list if they are verified as safe. +- Temporary or one-time service installations for troubleshooting or testing can be mistaken for threats. Ensure that such activities are logged and communicated to the security team to avoid confusion and unnecessary alerts. +- Changes in system configurations or updates to existing software might alter the behavior of legitimate processes, causing them to be flagged. Regularly review and adjust the detection rule to accommodate these changes while maintaining security integrity. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate the suspicious service and any associated processes identified by the alert to stop potential privilege escalation or malicious activity. +- Conduct a thorough review of the service's configuration and associated files to identify any unauthorized changes or malicious code. +- Restore any altered or compromised system files from a known good backup to ensure system integrity. +- Change all administrator and SYSTEM account passwords on the affected system and any connected systems to prevent further unauthorized access. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. +- Implement additional monitoring and logging on the affected system and similar environments to detect any recurrence of the threat or related suspicious activities.""" references = [ "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", @@ -65,41 +98,6 @@ configuration where host.os.type == "windows" and "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" " ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Windows Service Installed via an Unusual Client - -Windows services are crucial for running background processes with elevated privileges. Adversaries exploit this by creating services to escalate privileges from administrator to SYSTEM. The detection rule identifies anomalies by flagging service installations initiated by atypical processes, excluding known legitimate services. This helps in spotting potential privilege escalation attempts by monitoring unusual client activity. - -### Possible investigation steps - -- Review the event logs to identify the specific client process that initiated the service installation by examining the winlog.event_data.ClientProcessId and winlog.event_data.ParentProcessId fields. -- Investigate the parent process associated with the unusual client process to determine if it is a known legitimate application or potentially malicious. -- Check the winlog.event_data.ServiceFileName to verify the path and name of the service file, ensuring it is not a known legitimate service excluded in the query. -- Analyze the timeline of events around the service installation to identify any preceding suspicious activities or related alerts that might indicate a broader attack. -- Conduct a reputation check on the client process and service file using threat intelligence sources to assess if they are associated with known malicious activities. -- Examine the system for any additional indicators of compromise, such as unexpected network connections or changes to critical system files, that may suggest privilege escalation or lateral movement attempts. - -### False positive analysis - -- Legitimate software installations or updates may trigger the rule if they create services using unusual client processes. To manage this, identify and whitelist these processes in the detection rule to prevent unnecessary alerts. -- System management tools like Veeam and PDQ Inventory are already excluded, but other similar tools might not be. Regularly review and update the exclusion list to include any additional legitimate tools used in your environment. -- Custom scripts or administrative tools that create services for maintenance or monitoring purposes can also cause false positives. Document these scripts and consider adding them to the exclusion list if they are verified as safe. -- Temporary or one-time service installations for troubleshooting or testing can be mistaken for threats. Ensure that such activities are logged and communicated to the security team to avoid confusion and unnecessary alerts. -- Changes in system configurations or updates to existing software might alter the behavior of legitimate processes, causing them to be flagged. Regularly review and adjust the detection rule to accommodate these changes while maintaining security integrity. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate the suspicious service and any associated processes identified by the alert to stop potential privilege escalation or malicious activity. -- Conduct a thorough review of the service's configuration and associated files to identify any unauthorized changes or malicious code. -- Restore any altered or compromised system files from a known good backup to ensure system integrity. -- Change all administrator and SYSTEM account passwords on the affected system and any connected systems to prevent further unauthorized access. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. -- Implement additional monitoring and logging on the affected system and similar environments to detect any recurrence of the threat or related suspicious activities.""" [[rule.threat]] diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 9ac96708907..5fd3ef741f5 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -30,7 +28,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index e62bcef9ad2..529eff840b9 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 758463862ac..62459cca5d3 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,13 +3,11 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/10" - +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration. @@ -40,10 +38,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -75,41 +79,42 @@ not file.directory : ( ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -117,26 +122,26 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index d2170ca1392..3952b06069b 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 3216e4d2f6f..4ed4c5547f0 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -1,13 +1,42 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -bypass_bbr_timing = true -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -32,37 +61,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] @@ -137,7 +135,17 @@ references = [ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index a2cbeacc147..6eb634e33de 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,10 +2,8 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Microsoft IIS Service Account Password Dumped" diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index b310d2c5f6d..c4ef158a6dc 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 9bf8d304263..b46bd062dc8 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 74c2776b862..d01afb35166 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 55afd9005e5..789ad40ccec 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,16 +2,20 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index 64165d53dee..86102a0b458 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ installer components specified in .NET binaries. Adversaries may use InstallUtil a trusted Windows utility. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 7854e0caae8..6c94369c5a7 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab fi unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_posh_defender_tampering.toml b/rules_building_block/defense_evasion_posh_defender_tampering.toml index bfccbb39e08..91d9ec2d565 100644 --- a/rules_building_block/defense_evasion_posh_defender_tampering.toml +++ b/rules_building_block/defense_evasion_posh_defender_tampering.toml @@ -3,13 +3,11 @@ bypass_bbr_timing = true creation_date = "2024/09/11" integration = ["windows"] maturity = "production" -updated_date = "2025/01/13" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." - +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads. @@ -40,10 +38,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index ed5067dbc9e..2626ddc3e11 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -2,25 +2,24 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Log Clear Capabilities" references = [ - "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", - "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog", ] risk_score = 21 rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d" @@ -43,10 +42,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -62,20 +67,21 @@ event.category:process and host.os.type:windows and not file.directory : "C:\Program Files\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -87,26 +93,27 @@ id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index d8411c0a57f..9eb28e15955 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -30,7 +28,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 088e46ce1ae..5a13a3271d6 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index 6928b4187a8..0866538725d 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index 70173ff156b..90930db47e5 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,16 +2,20 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\n" from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index 1d1c148c5cb..ca738169f21 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index b9a6fec3080..2fec57a2b03 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Identifies the execution of discovery commands to enumerate system information, Command Shell. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "System Information Discovery via Windows Command Shell" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index e2de88493cf..60a147263ed 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 1842896d8bc..4d83aa90687 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 2a994dd4184..196586ddc82 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index 0e3060ae30a..38dee1fa68f 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,20 +2,18 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/13" - +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Discovery Capabilities" @@ -40,10 +38,17 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Discovery", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -142,84 +147,89 @@ event.category:process and host.os.type:windows and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1" - +case_insensitive = true +value = "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1" - +case_insensitive = true +value = "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\TEMP\\\\SDIAG*" - +case_insensitive = true +value = "?:\\\\Windows\\\\TEMP\\\\SDIAG*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Temp\\\\SDIAG*" - +case_insensitive = true +value = "?:\\\\Temp\\\\SDIAG*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*" - - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" [[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" -[[rule.threat.technique.subtechnique]] -id = "T1087.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1087/001/" -[[rule.threat.technique.subtechnique]] -id = "T1087.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1087/002/" +id = "T1012" +name = "Query Registry" +reference = "https://attack.mitre.org/techniques/T1012/" +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" [[rule.threat.technique]] -id = "T1482" -name = "Domain Trust Discovery" -reference = "https://attack.mitre.org/techniques/T1482/" +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1082" @@ -232,9 +242,19 @@ name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" [[rule.threat.technique]] -id = "T1615" -name = "Group Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1615/" +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + [[rule.threat.technique]] id = "T1135" @@ -247,45 +267,30 @@ name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" -[[rule.threat.technique]] -id = "T1012" -name = "Query Registry" -reference = "https://attack.mitre.org/techniques/T1012/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] -id = "T1049" -name = "System Network Connections Discovery" -reference = "https://attack.mitre.org/techniques/T1049/" +id = "T1615" +name = "Group Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1615/" -[[rule.threat.technique]] -id = "T1007" -name = "System Service Discovery" -reference = "https://attack.mitre.org/techniques/T1007/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 3178120fd4f..2c41449a86b 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 37b12767ed3..49272de507f 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -2,10 +2,8 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index e56e9b0e2c3..ace9b215e1b 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 65015a1e939..0027196aa52 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,7 +14,13 @@ reconnaissance phase after compromising a system in order to gain a better under escalate privileges. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 1e62fda4afc..4966907e28e 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -2,10 +2,8 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Detects the usage of commonly used system time discovery techniques, which attac phase after compromising a system. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "System Time Discovery" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index a498c69d534..c2deaf4223a 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Detects the execution of commands used to discover information about the system, compromising a system to gain situational awareness. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Windows System Information Discovery" diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index e8ab2101ae1..493f8c1d897 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index af1fe749b4a..7fe869ba5b9 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index 5aabab32d3c..d49d6623008 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index 40ab0a8d88b..0b5f2635db1 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 46e625fe8c3..60a170fd098 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index e359ebfef9c..1c014464624 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -31,7 +29,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", - "Data Source: Elastic Endgame" + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 35ebcffc21b..882eb57f1b8 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI ob local or remote endpoints. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index 7153494eaa4..dd033c85e0e 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index 4dd48492420..f94c6f93197 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index 60fb77cb60d..fe47316b132 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index 173fa693fb1..37549956dce 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index b9e80d855c5..37c0310bccb 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index de9956f7246..f0283064362 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 15d3b4dfcf7..00894a02e93 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 57593d58f83..ddedfe457c3 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Identifies use of at.exe to interact with the task scheduler on remote hosts. Re execution could be indicative of adversary lateral movement. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 10926d95cb6..be606f96344 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,26 +2,25 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/13" +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Remote Execution Capabilities via WinRM" references = [ - "https://attack.mitre.org/techniques/T1021/006/", - "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" + "https://attack.mitre.org/techniques/T1021/006/", + "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py", ] risk_score = 21 rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83" @@ -43,12 +42,18 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ - severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -67,27 +72,28 @@ event.category:process and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.directory"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.directory"] -"case_insensitive" = true -"value" = "?:\\\\ExchangeServer\\\\bin*" - +case_insensitive = true +value = "?:\\\\ExchangeServer\\\\bin*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -105,21 +111,19 @@ reference = "https://attack.mitre.org/techniques/T1021/006/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 63d3a181fcc..75ac81fc7f1 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index 1e6f93f050b..11d8588d202 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index 70bec844ae0..ebf6de67223 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/12/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index d4a1efd3be7..97741545325 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_web_server_sus_file_creation.toml b/rules_building_block/persistence_web_server_sus_file_creation.toml index 805e785a620..9aaeb1a79ee 100644 --- a/rules_building_block/persistence_web_server_sus_file_creation.toml +++ b/rules_building_block/persistence_web_server_sus_file_creation.toml @@ -3,18 +3,16 @@ bypass_bbr_timing = true creation_date = "2025/03/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "ES|QL rule type in technical preview as of 8.13" -min_stack_version = "8.13.0" -updated_date = "2025/03/06" +updated_date = "2025/04/03" [rule] author = ["Elastic"] building_block_type = "default" description = """ -This rule detects unusual file creations from a web server parent process. Adversaries may attempt to -create files from a web server parent process to establish persistence, execute malicious scripts, or -exfiltrate data. ES|QL rules have limited fields available in its alert documents. Make sure to review -the original documents to aid in the investigation of this alert. +This rule detects unusual file creations from a web server parent process. Adversaries may attempt to create files from +a web server parent process to establish persistence, execute malicious scripts, or exfiltrate data. ES|QL rules have +limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation +of this alert. """ from = "now-61m" interval = "1h" @@ -61,9 +59,10 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" + query = ''' from logs-endpoint.events.file-* -| keep @timestamp, host.os.type, event.type, event.action, user.name, user.id, process.name, process.executable, file.path, agent.id +| keep @timestamp, host.os.type, event.type, event.action, user.name, user.id, process.name, process.executable, file.path, agent.id, host.name | where @timestamp > now() - 1 hours | where host.os.type == "linux" and event.type == "change" and event.action in ("rename", "creation") and ( user.name in ( @@ -81,57 +80,57 @@ from logs-endpoint.events.file-* process.name like "ruby*" or process.name like "perl*" ) -| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, file.path +| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.executable, file.path | where agent_count == 1 and cc < 5 | sort cc asc | limit 100 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 23160f00b98..d93d4df4270 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -133,22 +133,15 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") def test_max_signals_note(self): """Ensure the max_signals note is present when max_signals > 1000.""" - max_signal_standard_setup = 'This rule is configured to generate more **Max alerts per run** than the ' \ - 'default 1000 alerts per run set for all rules. This is to ensure that it ' \ - "captures as many alerts as possible.\n\n**IMPORTANT:** The rule's " \ - '**Max alerts per run** setting can be superseded by the ' \ - '`xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines ' \ - 'the maximum alerts generated by _any_ rule in the Kibana alerting framework. ' \ - 'For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule ' \ - 'will still generate no more than 1000 alerts even if its own **Max alerts per ' \ - 'run** is set higher.\n\nTo make sure this rule can generate as many alerts as ' \ - "it's configured in its own **Max alerts per run** setting, increase the " \ - '`xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** ' \ - 'Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless ' \ - 'projects.' + max_signal_standard_setup = 'For information on troubleshooting the maximum alerts warning '\ + 'please refer to this [guide]'\ + '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).' # noqa: E501 for rule in self.all_rules: if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: - error_message = f'{self.rule_str(rule)} note required for max_signals > 1000' + error_message = f'{self.rule_str(rule)} max_signals cannot exceed 1000.' + self.fail(f'{self.rule_str(rule)} max_signals cannot exceed 1000.') + if rule.contents.data.max_signals and rule.contents.data.max_signals == 1000: + error_message = f'{self.rule_str(rule)} note required for max_signals == 1000' self.assertIsNotNone(rule.contents.data.setup, error_message) if max_signal_standard_setup not in rule.contents.data.setup: self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n'