Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/security_detection_engine/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# newer versions go on top
# NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production
- version: 8.10.1-beta.1
changes:
- description: Release security rules update
type: enhancement
link: https://github.com/elastic/integrations/pull/7450
- version: 8.9.3
changes:
- description: Release security rules update
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.",
"from": "now-9m",
"index": [
"logs-endpoint.events.network-*",
"logs-network_traffic.*",
"packetbeat-*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Network Scan Detected",
"query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n",
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
},
{
"package": "network_traffic",
"version": "^1.1.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "source.ip",
"type": "ip"
}
],
"risk_score": 21,
"rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b",
"severity": "low",
"tags": [
"Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring"
],
"threat": [
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1046",
"name": "Network Service Discovery",
"reference": "https://attack.mitre.org/techniques/T1046/"
}
]
},
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0043",
"name": "Reconnaissance",
"reference": "https://attack.mitre.org/tactics/TA0043/"
},
"technique": [
{
"id": "T1595",
"name": "Active Scanning",
"reference": "https://attack.mitre.org/techniques/T1595/",
"subtechnique": [
{
"id": "T1595.001",
"name": "Scanning IP Blocks",
"reference": "https://attack.mitre.org/techniques/T1595/001/"
}
]
}
]
}
],
"threshold": {
"cardinality": [
{
"field": "destination.port",
"value": 250
}
],
"field": [
"destination.ip",
"source.ip"
],
"value": 1
},
"type": "threshold",
"version": 2
},
"id": "0171f283-ade7-4f87-9521-ac346c68cc9b_2",
"type": "security-rule"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-auditd_manager.auditd-*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Suspicious Proc Pseudo File System Enumeration",
"note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.",
"query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : \"pidof\" and \nnot process.parent.pid : 1\n",
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "file.path",
"type": "keyword"
},
{
"ecs": true,
"name": "host.os.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.pid",
"type": "long"
}
],
"risk_score": 21,
"rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd",
"setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.",
"severity": "low",
"tags": [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery"
],
"threat": [
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1057",
"name": "Process Discovery",
"reference": "https://attack.mitre.org/techniques/T1057/"
},
{
"id": "T1082",
"name": "System Information Discovery",
"reference": "https://attack.mitre.org/techniques/T1082/"
}
]
}
],
"threshold": {
"cardinality": [
{
"field": "file.path",
"value": 100
}
],
"field": [
"host.id",
"process.pid",
"process.name"
],
"value": 1
},
"timestamp_override": "event.ingested",
"type": "threshold",
"version": 2
},
"id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_2",
"type": "security-rule"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Potential Shell via Wildcard Injection Detected",
"query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n",
"references": [
"https://www.exploit-db.com/papers/33930"
],
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "host.os.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.entity_id",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a",
"severity": "medium",
"tags": [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Execution"
],
"threat": [
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"reference": "https://attack.mitre.org/techniques/T1068/"
}
]
},
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/"
}
]
}
],
"type": "eql",
"version": 1
},
"id": "0b803267-74c5-444d-ae29-32b5db2d562a_1",
"type": "security-rule"
}
Loading