PKk3W! security_detection_engine-8.10.3/UTŢ ePKk3W, security_detection_engine-8.10.3/LICENSE.txtUTŢ eElastic License 2.0 URL: https://www.elastic.co/licensing/elastic-license ## Acceptance By using the software, you agree to all of the terms and conditions below. ## Copyright License The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below. ## Limitations You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software. You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key. You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law. ## Patents The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company. ## Notices You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms. If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software. ## No Other Rights These terms do not imply any licenses other than those expressly granted in these terms. ## Termination If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently. ## No Liability *As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.* ## Definitions The **licensor** is the entity offering these terms, and the **software** is the software the licensor makes available under these terms, including any portion of it. **you** refers to the individual or entity agreeing to these terms. **your company** is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. **control** means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect. **your licenses** are all the licenses granted to you for the software under these terms. **use** means anything you do with the software requiring one of your licenses. **trademark** means trademarks, service marks, and similar rights. PKgjPKk3W+ security_detection_engine-8.10.3/NOTICE.txtUTŢ eDetection Rules Copyright 2021 Elasticsearch B.V. --- This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack which is available under a "MIT" license. The rules based on this license are: - "Potential Evasion via Filter Manager" (06dceabf-adca-48af-ac79-ffdf4c3b1e9a) - "Process Discovery via Tasklist" (cc16f774-59f9-462d-8b98-d27ccd4519ec) - "Potential Modification of Accessibility Binaries" (7405ddf1-6c8e-41ce-818f-48bea6bcaed8) - "Potential Application Shimming via Sdbinst" (fd4a992d-6130-4802-9ff8-829b89ae801f) - "Trusted Developer Application Usage" (9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1) MIT License Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --- This product bundles rules based on https://github.com/FSecureLABS/leonidas which is available under a "MIT" license. The rules based on this license are: - "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622) MIT License Copyright (c) 2020 F-Secure LABS Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. PK$3 PKk3W. security_detection_engine-8.10.3/changelog.ymlUTŢ e# newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production - version: 8.10.3 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7869 - version: 8.10.3-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7857 - version: 8.10.2 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7700 - version: 8.10.2-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7686 - version: 8.10.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7457 - version: 8.10.1-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7450 - version: 8.9.3 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7227 - version: 8.9.3-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/7223 - version: 8.9.2 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6957 - version: 8.9.2-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6956 - version: 8.8.7 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6955 - version: 8.8.7-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6953 - version: 8.7.9 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6951 - version: 8.7.9-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6940 - version: 8.6.9 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6937 - version: 8.9.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6760 - version: 8.8.6 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6759 - version: 8.7.8 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6757 - version: 8.6.8 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6755 - version: 8.5.8 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6754 - version: 8.8.5 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6726 - version: 8.8.5-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6725 - version: 8.7.7 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6724 - version: 8.7.7-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6721 - version: 8.6.7 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6720 - version: 8.6.7-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6718 - version: 8.5.7 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6717 - version: 8.5.7-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6715 - version: 8.8.4 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6572 - version: 8.8.4-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6564 - version: 8.7.6 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6563 - version: 8.7.6-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6560 - version: 8.6.6 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6558 - version: 8.6.6-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6557 - version: 8.5.6 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6556 - version: 8.5.6-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6552 - version: 8.8.3 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6441 - version: 8.8.3-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6437 - version: 8.7.5 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6436 - version: 8.7.5-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6434 - version: 8.6.5 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6433 - version: 8.6.5-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6424 - version: 8.5.5 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6416 - version: 8.5.5-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6410 - version: 8.8.2 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6261 - version: 8.8.2-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6260 - version: 8.7.4 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6259 - version: 8.7.4-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6257 - version: 8.6.4 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6254 - version: 8.6.4-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6252 - version: 8.5.4 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6250 - version: 8.5.4-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6242 - version: 8.8.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6009 - version: 8.8.1-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6008 - version: 8.7.3 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6007 - version: 8.7.3-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6006 - version: 8.6.3 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6005 - version: 8.6.3-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6004 - version: 8.5.3 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6002 - version: 8.5.3-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/6000 - version: 8.4.5 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5996 - version: 8.4.5-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5995 - version: 8.7.3-beta.0 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5931 - version: 8.7.2 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5860 - version: 8.7.2-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5857 - version: 8.6.2 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5856 - version: 8.6.2-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5844 - version: 8.5.2 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5843 - version: 8.5.2-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5842 - version: 8.4.4 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5839 - version: 8.4.4-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5837 - version: 8.7.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5272 - version: 8.7.1-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5265 - version: 8.6.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5264 - version: 8.6.1-beta.1 changes: - description: Release security rules update type: enhancement link: https://github.com/elastic/integrations/pull/5263 - version: 8.5.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5262 type: enhancement - version: 8.5.1-beta.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5261 type: enhancement - version: 8.4.3 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5257 type: enhancement - version: 8.4.3-beta.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5238 type: enhancement - version: 8.4.2 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5062 type: enhancement - version: 8.4.2-beta.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5027 type: enhancement - version: 8.3.4 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5024 type: enhancement - version: 8.3.4-beta.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/5000 type: enhancement - version: 8.3.3 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/4965 type: enhancement - version: 8.4.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/4740 type: enhancement - version: 8.3.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/4063 type: enhancement - version: 8.2.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/4021 type: enhancement - version: 7.16.4 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/4010 type: enhancement - version: 8.1.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/3565 type: enhancement - version: 7.16.3 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/3556 type: enhancement - version: 1.0.2 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/3238 type: enhancement - version: 0.16.2 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pulls/3191 type: enhancement - version: 0.16.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/2709 type: enhancement - version: 1.0.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/2605 type: enhancement - version: 0.14.3 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/2329 type: enhancement - version: 0.14.2 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/1924 type: enhancement - version: 0.14.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pulls/1591 type: enhancement - version: 0.13.3 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/1361 type: enhancement - version: 0.13.2 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/1297 type: enhancement - version: 0.13.1 changes: - description: Release security rules update link: https://github.com/elastic/integrations/pull/1177 type: enhancement - version: 0.13.1-dev.0 changes: - description: Pre-release for 0.13.1 security rules link: https://github.com/elastic/integrations/pull/1144 type: bugfix - version: 0.13.0 changes: - description: Fix package for 7.13.0 from detection-rules link: https://github.com/elastic/integrations/pull/1127 type: bugfix - version: 0.13.0-dev.0 changes: - description: Publish package for 7.13.0 from detection-rules link: https://github.com/elastic/integrations/pull/1126 type: enhancement - version: 0.0.3 changes: - description: Fix security rules naming link: https://github.com/elastic/integrations/pull/987 type: bugfix - version: 0.0.2 changes: - description: Change the rules to match Kibana 7.13 prepackaged link: https://github.com/elastic/integrations/pull/938 type: enhancement - version: 0.0.1-dev.3 changes: - description: Change the integration title link: https://github.com/elastic/integrations/pull/896 type: enhancement - version: 0.0.1-dev.2 changes: - description: Change the saved object type to security-rule link: https://github.com/elastic/integrations/pull/797 type: enhancement - version: 0.0.1-dev.1 changes: - description: Create package for security's detection engine link: https://github.com/elastic/integrations/pull/797 type: enhancement PK@'FFPKk3W& security_detection_engine-8.10.3/docs/UTŢ ePKk3W/ security_detection_engine-8.10.3/docs/README.mdUTŢ e# Prebuilt Security Detection Rules The detection rules package stores the prebuilt security rules for the Elastic Security [detection engine](https://www.elastic.co/guide/en/security/7.13/detection-engine-overview.html). To download or update the rules, click **Settings** > **Install Prebuilt Security Detection Rules assets**. Then [import](https://www.elastic.co/guide/en/security/master/rules-ui-management.html#load-prebuilt-rules) the rules into the Detection engine. ## License Notice PKj(PKk3W% security_detection_engine-8.10.3/img/UTŢ ePKk3WA security_detection_engine-8.10.3/img/security-logo-color-64px.svgUTŢ e security-logo-color-64px Created with Sketch. PK9PKk3W( security_detection_engine-8.10.3/kibana/UTŢ ePKk3W6 security_detection_engine-8.10.3/kibana/security_rule/UTŢ ePKk3Wc security_detection_engine-8.10.3/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": [ "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." ], "index": [ "filebeat-*", "logs-okta*" ], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { "package": "okta", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102", "type": "security-rule" }PK6ca a PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": [ "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." ], "index": [ "filebeat-*", "logs-okta*" ], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { "package": "okta", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103", "type": "security-rule" }PK}HO O PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": [ "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." ], "index": [ "filebeat-*", "logs-okta*" ], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { "package": "okta", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104", "type": "security-rule" }PKKkaaPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": [ "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." ], "index": [ "filebeat-*", "logs-okta*" ], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ], "related_integrations": [ { "package": "okta", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105", "type": "security-rule" }PKuT..PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n /* update here with any new lolbas with dump capability */\n (process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n (process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n (process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n (process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n (process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n (process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n (process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n (process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n)\n", "references": [ "https://lolbas-project.github.io/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" }, { "id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "00140285-b827-4aee-aa09-8113f58a08f3_105", "type": "security-rule" }PKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": [ "https://lolbas-project.github.io/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" }, { "id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "00140285-b827-4aee-aa09-8113f58a08f3_106", "type": "security-rule" }PKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": [ "https://lolbas-project.github.io/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" }, { "id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "00140285-b827-4aee-aa09-8113f58a08f3_107", "type": "security-rule" }PK3̓" " PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": [ "https://lolbas-project.github.io/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" }, { "id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 108 }, "id": "00140285-b827-4aee-aa09-8113f58a08f3_108", "type": "security-rule" }PKbM M PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104", "type": "security-rule" }PKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105", "type": "security-rule" }PK!PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106", "type": "security-rule" }PKVPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107", "type": "security-rule" }PK7WFFPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", "false_positives": [ "Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license." ], "from": "now-130m", "index": [ "filebeat-*", "logs-google_workspace*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Suspended User Account Renewed", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", "references": [ "https://support.google.com/a/answer/1110339" ], "related_integrations": [ { "package": "google_workspace", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 21, "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 1 }, "id": "00678712-b2df-11ed-afe9-f661ea17fbcc_1", "type": "security-rule" }PKPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", "false_positives": [ "Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license." ], "from": "now-130m", "index": [ "filebeat-*", "logs-google_workspace*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Suspended User Account Renewed", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", "references": [ "https://support.google.com/a/answer/1110339" ], "related_integrations": [ { "package": "google_workspace", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 21, "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 2 }, "id": "00678712-b2df-11ed-afe9-f661ea17fbcc_2", "type": "security-rule" }PKǐiPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.jsonUTŢ e{ "attributes": { "author": [ "Austin Songer" ], "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", "false_positives": [ "A user sending emails using personal distribution folders may trigger the event." ], "from": "now-30m", "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" ], "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "0136b315-b566-482f-866c-1d8e2477ba16_101", "type": "security-rule" }PK 8N N PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.jsonUTŢ e{ "attributes": { "author": [ "Austin Songer" ], "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", "false_positives": [ "A user sending emails using personal distribution folders may trigger the event." ], "from": "now-30m", "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" ], "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "0136b315-b566-482f-866c-1d8e2477ba16_102", "type": "security-rule" }PKa\A A PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", "false_positives": [ "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "015cca13-8832-49ac-a01b-a396114809f6_102", "type": "security-rule" }PK ov  PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", "false_positives": [ "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "015cca13-8832-49ac-a01b-a396114809f6_103", "type": "security-rule" }PK s PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": [ "logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Detected", "query": "destination.port :* and event.action: (\"network_flow\" or \"connection_accepted\" or \"connection_attempted\" )\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "network_traffic", "version": "^1.1.0" } ], "required_fields": [ { "ecs": true, "name": "destination.port", "type": "long" }, { "ecs": true, "name": "event.action", "type": "keyword" } ], "risk_score": 47, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "medium", "tags": [ "Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/" }, "technique": [ { "id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [ { "id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/" } ] } ] } ], "threshold": { "cardinality": [ { "field": "destination.port", "value": 20 } ], "field": [ "destination.ip", "source.ip" ], "value": 1 }, "type": "threshold", "version": 1 }, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_1", "type": "security-rule" }PK`nnPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": [ "logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Detected", "query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "network_traffic", "version": "^1.1.0" } ], "required_fields": [ { "ecs": true, "name": "destination.port", "type": "long" }, { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 21, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "low", "tags": [ "Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/" }, "technique": [ { "id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [ { "id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/" } ] } ] } ], "threshold": { "cardinality": [ { "field": "destination.port", "value": 250 } ], "field": [ "destination.ip", "source.ip" ], "value": 1 }, "type": "threshold", "version": 2 }, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_2", "type": "security-rule" }PKT(PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": [ "Developers performing browsers plugin or extension debugging." ], "from": "now-9m", "index": [ "auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 101 }, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101", "type": "security-rule" }PK>PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": [ "Developers performing browsers plugin or extension debugging." ], "from": "now-9m", "index": [ "auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 102 }, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102", "type": "security-rule" }PKƵPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": [ "Developers performing browsers plugin or extension debugging." ], "from": "now-9m", "index": [ "auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103", "type": "security-rule" }PK^KL ''PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Created with an Elevated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", "references": [ "https://lengjibo.github.io/token/", "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown" }, { "ecs": true, "name": "process.code_signature.subject_name", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 73, "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [ { "id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 3 }, "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_3", "type": "security-rule" }PKd-=,,PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Created with an Elevated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", "references": [ "https://lengjibo.github.io/token/", "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown" }, { "ecs": true, "name": "process.code_signature.subject_name", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 73, "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [ { "id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 4 }, "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_4", "type": "security-rule" }PK@77PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Created with an Elevated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", "references": [ "https://lengjibo.github.io/token/", "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown" }, { "ecs": true, "name": "process.code_signature.subject_name", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 73, "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [ { "id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 5 }, "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_5", "type": "security-rule" }PKkYbbPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": [ "https://github.com/CCob/MirrorDump" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown" } ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "02a4576a-7480-4284-9327-548a806b5e48_103", "type": "security-rule" }PKzY#BBPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": [ "https://github.com/CCob/MirrorDump" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown" } ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "02a4576a-7480-4284-9327-548a806b5e48_104", "type": "security-rule" }PKe(ZZPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": [ "https://github.com/CCob/MirrorDump" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword" } ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "02a4576a-7480-4284-9327-548a806b5e48_105", "type": "security-rule" }PK-ZZPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": [ "https://github.com/CCob/MirrorDump" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword" } ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 206 }, "id": "02a4576a-7480-4284-9327-548a806b5e48_206", "type": "security-rule" }PK5ZZPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": [ "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "severity": "high", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Credential Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_102", "type": "security-rule" }PKMW> > PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": [ "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_103", "type": "security-rule" }PK=I I PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": [ "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_104", "type": "security-rule" }PK8at t PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", "false_positives": [ "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." ], "from": "now-30m", "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" ], "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_101", "type": "security-rule" }PKA!-! ! PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", "false_positives": [ "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." ], "from": "now-30m", "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" ], "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_102", "type": "security-rule" }PKǭ  PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", "references": [ "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, "technique": [ { "id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/" } ] } ], "threshold": { "field": [ "host.id" ], "value": 10 }, "type": "threshold", "version": 104 }, "id": "035889c4-2686-4583-a7df-67f89c292f2c_104", "type": "security-rule" }PK.PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", "references": [ "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, "technique": [ { "id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/" } ] } ], "threshold": { "field": [ "host.id" ], "value": 10 }, "type": "threshold", "version": 105 }, "id": "035889c4-2686-4583-a7df-67f89c292f2c_105", "type": "security-rule" }PKCØwPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": [ "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, "technique": [ { "id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/" } ] } ], "threshold": { "field": [ "host.id" ], "value": 10 }, "type": "threshold", "version": 106 }, "id": "035889c4-2686-4583-a7df-67f89c292f2c_106", "type": "security-rule" }PKҕ#(PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.", "false_positives": [ "SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior." ], "from": "now-6m", "index": [ "logs-cloud_defend*" ], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Process Launched From Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and\nevent.action in (\"fork\", \"exec\") and event.action != \"end\" and \nprocess.name: (\"sshd\", \"ssh\", \"autossh\")\n", "references": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/" ], "related_integrations": [ { "package": "cloud_defend", "version": "^1.0.5" } ], "required_fields": [ { "ecs": true, "name": "container.id", "type": "keyword" }, { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "03a514d9-500e-443e-b6a9-72718c548f6c", "severity": "high", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Persistence", "Container" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [ { "id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 1 }, "id": "03a514d9-500e-443e-b6a9-72718c548f6c_1", "type": "security-rule" }PK|00PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.", "false_positives": [ "SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior." ], "from": "now-6m", "index": [ "logs-cloud_defend*" ], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Process Launched From Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and\nevent.action in (\"fork\", \"exec\") and event.action != \"end\" and \nprocess.name: (\"sshd\", \"ssh\", \"autossh\")\n", "references": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/" ], "related_integrations": [ { "package": "cloud_defend", "version": "^1.0.5" } ], "required_fields": [ { "ecs": true, "name": "container.id", "type": "keyword" }, { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "03a514d9-500e-443e-b6a9-72718c548f6c", "severity": "high", "tags": [ "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [ { "id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 2 }, "id": "03a514d9-500e-443e-b6a9-72718c548f6c_2", "type": "security-rule" }PKkEeePKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": [ "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and\n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.name:(\"dpkg\" or \"yum\" or \"dnf\" or \"dnf-automatic\")\n", "references": [ "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.name", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "severity": "medium", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Lateral Movement", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [ { "id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/" } ] }, { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [ { "id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_103", "type": "security-rule" }PKiPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": [ "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so)\n", "references": [ "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.name", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [ { "id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/" } ] }, { "id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [ { "id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_104", "type": "security-rule" }PK:fPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": [ "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so)\n", "references": [ "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.name", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [ { "id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/" } ] }, { "id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [ { "id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_105", "type": "security-rule" }PK:6UKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", "false_positives": [ "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential DNS Tunneling via Iodine", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)\n", "references": [ "https://code.kryo.se/iodine/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "high", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { "id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "041d4d41-9589-43e2-ba13-5680af75ebc2_103", "type": "security-rule" }PK;/; PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", "false_positives": [ "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential DNS Tunneling via Iodine", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)\n", "references": [ "https://code.kryo.se/iodine/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { "id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "041d4d41-9589-43e2-ba13-5680af75ebc2_104", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", "false_positives": [ "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Deprecated - Potential DNS Tunneling via Iodine", "note": "This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule.", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)\n", "references": [ "https://code.kryo.se/iodine/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { "id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "041d4d41-9589-43e2-ba13-5680af75ebc2_105", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure AD Global Administrator Role Assigned", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" ], "related_integrations": [ { "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword" }, { "ecs": false, "name": "azure.auditlogs.properties.category", "type": "keyword" }, { "ecs": false, "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", "type": "unknown" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 47, "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [ { "id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f_101", "type": "security-rule" }PKPhhPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure AD Global Administrator Role Assigned", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" ], "related_integrations": [ { "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword" }, { "ecs": false, "name": "azure.auditlogs.properties.category", "type": "keyword" }, { "ecs": false, "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", "type": "unknown" }, { "ecs": true, "name": "event.dataset", "type": "keyword" } ], "risk_score": 47, "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [ { "id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f_102", "type": "security-rule" }PKq^^PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Dennis Perto" ], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": [ "Microsoft Antimalware Service Executable installed on non default installation path." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": [ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [ { "id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_104", "type": "security-rule" }PK>PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Dennis Perto" ], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": [ "Microsoft Antimalware Service Executable installed on non default installation path." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": [ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [ { "id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_105", "type": "security-rule" }PK|PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Dennis Perto" ], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": [ "Microsoft Antimalware Service Executable installed on non default installation path." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": [ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [ { "id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_106", "type": "security-rule" }PKYPPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": [ "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_104", "type": "security-rule" }PK8f,q q PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": [ "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_105", "type": "security-rule" }PK)?> PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": [ "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_106", "type": "security-rule" }PK( PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_104", "type": "security-rule" }PKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_105", "type": "security-rule" }PK̇PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_106", "type": "security-rule" }PK;;PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "severity": "high", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_103", "type": "security-rule" }PKeSL PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_104", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_105", "type": "security-rule" }PK9f PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "0635c542-1b96-4335-9b47-126582d2c19a_105", "type": "security-rule" }PKo%GGPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "0635c542-1b96-4335-9b47-126582d2c19a_106", "type": "security-rule" }PKt PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "0635c542-1b96-4335-9b47-126582d2c19a_107", "type": "security-rule" }PKCPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 108 }, "id": "0635c542-1b96-4335-9b47-126582d2c19a_108", "type": "security-rule" }PKYPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { "package": "windows", "version": "^1.5.0" }, { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 2 }, "id": "06568a02-af29-4f20-929c-f3af281e41aa_2", "type": "security-rule" }PK̅ PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { "package": "windows", "version": "^1.5.0" }, { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 3 }, "id": "06568a02-af29-4f20-929c-f3af281e41aa_3", "type": "security-rule" }PK)  PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { "package": "windows", "version": "^1.5.0" }, { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 4 }, "id": "06568a02-af29-4f20-929c-f3af281e41aa_4", "type": "security-rule" }PKA`? ? PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": [ "Domain administrators may use this command-line utility for legitimate information gathering purposes." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 2 }, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_2", "type": "security-rule" }PK?66PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": [ "Domain administrators may use this command-line utility for legitimate information gathering purposes." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 3 }, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_3", "type": "security-rule" }PK y2NNPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": [ "Domain administrators may use this command-line utility for legitimate information gathering purposes." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 4 }, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_4", "type": "security-rule" }PKPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": [ "Domain administrators may use this command-line utility for legitimate information gathering purposes." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/" }, { "id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 5 }, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_5", "type": "security-rule" }PK$EEPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104", "type": "security-rule" }PK<=_| PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105", "type": "security-rule" }PK& & PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106", "type": "security-rule" }PKmI I PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107", "type": "security-rule" }PKt t PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_104", "type": "security-rule" }PK$K PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_105", "type": "security-rule" }PKFPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_106", "type": "security-rule" }PK<>>PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.", "from": "now-9m", "index": [ "logs-github.audit-*" ], "language": "eql", "license": "Elastic License v2", "name": "GitHub Protected Branch Settings Changed", "query": "configuration where event.dataset == \"github.audit\" \n and github.category == \"protected_branch\" and event.type == \"change\" \n", "related_integrations": [ { "package": "github", "version": "^1.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": false, "name": "github.category", "type": "unknown" } ], "risk_score": 47, "rule_id": "07639887-da3a-4fbf-9532-8ce748ff8c50", "severity": "medium", "tags": [ "Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 1 }, "id": "07639887-da3a-4fbf-9532-8ce748ff8c50_1", "type": "security-rule" }PKjS^ ^ PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-9m", "index": [ "auditbeat-*", "logs-auditd_manager.auditd-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1\n", "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.parent.pid", "type": "long" } ], "risk_score": 47, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/" }, { "id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/" } ] } ], "threshold": { "cardinality": [ { "field": "file.path", "value": 25 } ], "field": [ "host.id", "process.pid", "process.name" ], "value": 1 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 1 }, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_1", "type": "security-rule" }PK_jPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-9m", "index": [ "auditbeat-*", "logs-auditd_manager.auditd-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : \"pidof\" and \nnot process.parent.pid : 1\n", "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.pid", "type": "long" } ], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/" }, { "id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/" } ] } ], "threshold": { "cardinality": [ { "field": "file.path", "value": 100 } ], "field": [ "host.id", "process.pid", "process.name" ], "value": 1 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 2 }, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_2", "type": "security-rule" }PK:YYPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-119m", "index": [ "auditbeat-*", "logs-auditd_manager.auditd-*" ], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : \"pidof\" and \nnot process.parent.pid : 1\n", "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.pid", "type": "long" } ], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/" }, { "id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/" } ] } ], "threshold": { "cardinality": [ { "field": "file.path", "value": 100 } ], "field": [ "host.id", "process.pid", "process.name" ], "value": 1 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 3 }, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_3", "type": "security-rule" }PKyPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": [ "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" } ], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Privilege Escalation", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 3 }, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_3", "type": "security-rule" }PK_nPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": [ "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" } ], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 4 }, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_4", "type": "security-rule" }PK3PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": [ "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" } ], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 5 }, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_5", "type": "security-rule" }PKKIPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", "false_positives": [ "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." ], "from": "now-130m", "index": [ "filebeat-*", "logs-google_workspace*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": [ "https://support.google.com/a/answer/1247799?hl=en" ], "related_integrations": [ { "package": "google_workspace", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/" }, "technique": [ { "id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [ { "id": "T1074.002", "name": "Remote Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_104", "type": "security-rule" }PKePKk3Wc security_detection_engine-8.10.3/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", "false_positives": [ "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." ], "from": "now-130m", "index": [ "filebeat-*", "logs-google_workspace*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security \u003e Reporting \u003e Audit and investigation \u003e Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory \u003e Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps \u003e Google Workspace \u003e Drive and Docs \u003e Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security \u003e Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": [ "https://support.google.com/a/answer/1247799?hl=en" ], "related_integrations": [ { "package": "google_workspace", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/" }, "technique": [ { "id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [ { "id": "T1074.002", "name": "Remote Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_105", "type": "security-rule" }PK4> > PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", "false_positives": [ "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." ], "from": "now-130m", "index": [ "filebeat-*", "logs-google_workspace*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security \u003e Reporting \u003e Audit and investigation \u003e Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory \u003e Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps \u003e Google Workspace \u003e Drive and Docs \u003e Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security \u003e Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": [ "https://support.google.com/a/answer/1247799?hl=en" ], "related_integrations": [ { "package": "google_workspace", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/" }, "technique": [ { "id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [ { "id": "T1074.002", "name": "Remote Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 106 }, "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_106", "type": "security-rule" }PK  PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": [ "https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "severity": "high", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Initial Access", "Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 102 }, "id": "080bc66a-5d56-4d1f-8071-817671716db9_102", "type": "security-rule" }PK@vC&PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": [ "https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "080bc66a-5d56-4d1f-8071-817671716db9_103", "type": "security-rule" }PKy<PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": [ "https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "080bc66a-5d56-4d1f-8071-817671716db9_104", "type": "security-rule" }PKD4PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": [ "Trusted applications persisting via LaunchAgent" ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "severity": "low", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] } ], "type": "eql", "version": 102 }, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_102", "type": "security-rule" }PKfdض PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": [ "Trusted applications persisting via LaunchAgent" ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "severity": "low", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] } ], "type": "eql", "version": 103 }, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_103", "type": "security-rule" }PKg PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": [ "Trusted applications persisting via LaunchAgent" ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "severity": "low", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] } ], "type": "eql", "version": 104 }, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_104", "type": "security-rule" }PKX+W PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": [ "https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "severity": "medium", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [ { "id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "083fa162-e790-4d85-9aeb-4fea04188adb_102", "type": "security-rule" }PKsXzPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": [ "https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [ { "id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "083fa162-e790-4d85-9aeb-4fea04188adb_103", "type": "security-rule" }PKKu PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": [ "https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [ { "id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "083fa162-e790-4d85-9aeb-4fea04188adb_104", "type": "security-rule" }PK[MPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": [ "registry.path" ], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": [ "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.path", "type": "keyword" }, { "ecs": true, "name": "registry.value", "type": "keyword" } ], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { "id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [ { "id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1 }, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_1", "type": "security-rule" }PK2cPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": [ "registry.path" ], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": [ "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.path", "type": "keyword" }, { "ecs": true, "name": "registry.value", "type": "keyword" } ], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { "id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [ { "id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2 }, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_2", "type": "security-rule" }PKPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-119m", "index": [ "logs-endpoint.events.*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows Account or Group Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"group\", \"user\", \"localgroup\") and not process.args : \"/add\"\n ) or\n (process.name:(\"dsquery.exe\", \"dsget.exe\") and process.args:(\"*members*\", \"user\")) or\n (process.name:\"dsquery.exe\" and process.args:\"*filter*\") or\n process.name:(\"quser.exe\", \"qwinsta.exe\", \"PsGetSID.exe\", \"PsLoggedOn.exe\", \"LogonSessions.exe\", \"whoami.exe\") or\n (\n process.name: \"cmd.exe\" and\n (\n process.args : \"echo\" and process.args : (\n \"%username%\", \"%userdomain%\", \"%userdnsdomain%\",\n \"%userdomain_roamingprofile%\", \"%userprofile%\",\n \"%homepath%\", \"%localappdata%\", \"%appdata%\"\n ) or\n process.args : \"set\"\n )\n )\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 21, "rule_id": "089db1af-740d-4d84-9a5b-babd6de143b0", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [ { "id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/" }, { "id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/" } ] }, { "id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [ { "id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/" }, { "id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 1 }, "id": "089db1af-740d-4d84-9a5b-babd6de143b0_1", "type": "security-rule" }PKPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-119m", "index": [ "logs-endpoint.events.*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows Account or Group Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"accounts\", \"group\", \"user\", \"localgroup\") and not process.args : \"/add\"\n ) or\n (process.name:(\"dsquery.exe\", \"dsget.exe\") and process.args:(\"*members*\", \"user\")) or\n (process.name:\"dsquery.exe\" and process.args:\"*filter*\") or\n process.name:(\"quser.exe\", \"qwinsta.exe\", \"PsGetSID.exe\", \"PsLoggedOn.exe\", \"LogonSessions.exe\", \"whoami.exe\") or\n (\n process.name: \"cmd.exe\" and\n (\n process.args : \"echo\" and process.args : (\n \"%username%\", \"%userdomain%\", \"%userdnsdomain%\",\n \"%userdomain_roamingprofile%\", \"%userprofile%\",\n \"%homepath%\", \"%localappdata%\", \"%appdata%\"\n ) or\n process.args : \"set\"\n )\n )\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 21, "rule_id": "089db1af-740d-4d84-9a5b-babd6de143b0", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [ { "id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/" }, { "id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/" } ] }, { "id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/" }, { "id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [ { "id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/" }, { "id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 2 }, "id": "089db1af-740d-4d84-9a5b-babd6de143b0_2", "type": "security-rule" }PKYPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [ { "id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 102 }, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_102", "type": "security-rule" }PK٠PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [ { "id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_103", "type": "security-rule" }PKkBSPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [ { "id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_104", "type": "security-rule" }PK;PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [ { "id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/" } ] } ] } ], "type": "eql", "version": 103 }, "id": "09443c92-46b3-45a4-8f25-383b028b258d_103", "type": "security-rule" }PKh`PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [ { "id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/" } ] } ] } ], "type": "eql", "version": 104 }, "id": "09443c92-46b3-45a4-8f25-383b028b258d_104", "type": "security-rule" }PK $"PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [ { "id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/" } ] } ] } ], "type": "eql", "version": 105 }, "id": "09443c92-46b3-45a4-8f25-383b028b258d_105", "type": "security-rule" }PKe~"~"PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [ { "id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/" } ] } ] } ], "type": "eql", "version": 106 }, "id": "09443c92-46b3-45a4-8f25-383b028b258d_106", "type": "security-rule" }PK1)""PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "query": "sequence by host.id, user.id with maxspan=1m\n [file where host.os.type == \"linux\" and event.action == \"creation\" and \n process.name in (\"curl\", \"wget\", \"fetch\", \"ftp\", \"sftp\", \"scp\", \"rsync\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.name\n [file where host.os.type == \"linux\" and event.action == \"deletion\" and not process.name in (\"rm\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.name", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 47, "rule_id": "09bc6c90-7501-494d-b015-5d988dc3f233", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/" } ] } ] } ], "type": "eql", "version": 1 }, "id": "09bc6c90-7501-494d-b015-5d988dc3f233_1", "type": "security-rule" }PK0?VPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.jsonUTŢ e{ "attributes": { "author": [ "Austin Songer" ], "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", "false_positives": [ "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking" ], "related_integrations": [ { "integration": "activitylogs", "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "09d028a5-dcde-409f-8ae0-557cef1b7082_101", "type": "security-rule" }PK`*H99PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.jsonUTŢ e{ "attributes": { "author": [ "Austin Songer" ], "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", "false_positives": [ "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking" ], "related_integrations": [ { "integration": "activitylogs", "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "09d028a5-dcde-409f-8ae0-557cef1b7082_102", "type": "security-rule" }PK0O88PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": [ "endgame-*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [ { "ecs": false, "name": "endgame.event_subtype_full", "type": "unknown" }, { "ecs": false, "name": "endgame.metadata.type", "type": "unknown" }, { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.kind", "type": "keyword" }, { "ecs": true, "name": "event.module", "type": "keyword" } ], "risk_score": 99, "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", "severity": "critical", "tags": [ "Elastic", "Elastic Endgame" ], "type": "query", "version": 100 }, "id": "0a97b20f-4144-49ea-be32-b540ecc445de_100", "type": "security-rule" }PKuPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": [ "endgame-*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [ { "ecs": false, "name": "endgame.event_subtype_full", "type": "unknown" }, { "ecs": false, "name": "endgame.metadata.type", "type": "unknown" }, { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.kind", "type": "keyword" }, { "ecs": true, "name": "event.module", "type": "keyword" } ], "risk_score": 99, "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", "severity": "critical", "tags": [ "Data Source: Elastic Endgame" ], "type": "query", "version": 101 }, "id": "0a97b20f-4144-49ea-be32-b540ecc445de_101", "type": "security-rule" }PK/rPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": [ "winlogbeat-*", "logs-windows.*" ], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n )\n", "references": [ "https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "powershell.file.script_block_text", "type": "unknown" } ], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Rule Type: BBR" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [ { "id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 1 }, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1", "type": "security-rule" }PKOPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": [ "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/" } ] } ], "type": "machine_learning", "version": 102 }, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102", "type": "security-rule" }PK y||PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": [ "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/" } ] } ], "type": "machine_learning", "version": 103 }, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103", "type": "security-rule" }PK47nt#t#PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": [ "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/" } ] } ], "type": "machine_learning", "version": 104 }, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104", "type": "security-rule" }PKa##PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": [ "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/" } ] } ], "type": "machine_learning", "version": 105 }, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105", "type": "security-rule" }PKma$$PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and\n event.code:5136 and winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": [ "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown" } ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [ { "id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_105", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": [ "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown" } ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [ { "id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 106 }, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_106", "type": "security-rule" }PKWPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": [ "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown" } ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [ { "id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 107 }, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_107", "type": "security-rule" }PKg IIPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": [ "https://www.exploit-db.com/papers/33930" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "type": "eql", "version": 1 }, "id": "0b803267-74c5-444d-ae29-32b5db2d562a_1", "type": "security-rule" }PKg!!PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": [ "https://www.exploit-db.com/papers/33930" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/" } ] } ], "type": "eql", "version": 2 }, "id": "0b803267-74c5-444d-ae29-32b5db2d562a_2", "type": "security-rule" }PK LLPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.", "from": "now-119m", "index": [ "logs-endpoint.events.*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Processes with Trailing Spaces", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"* \"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [ { "id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 1 }, "id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4_1", "type": "security-rule" }PK㻞  PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": [ "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "query": "source.ip:* or destination.ip:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip" ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "severity": "critical", "tags": [ "OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match" ], "threat_filters": [ { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.category", "negate": false, "params": { "query": "threat" }, "type": "phrase" }, "query": { "match_phrase": { "event.category": "threat" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.kind", "negate": false, "params": { "query": "enrichment" }, "type": "phrase" }, "query": { "match_phrase": { "event.kind": "enrichment" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.type", "negate": false, "params": { "query": "indicator" }, "type": "phrase" }, "query": { "match_phrase": { "event.type": "indicator" } } } ], "threat_index": [ "filebeat-*", "logs-ti_*" ], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [ { "entries": [ { "field": "source.ip", "type": "mapping", "value": "threat.indicator.ip" } ] }, { "entries": [ { "field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip" } ] } ], "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 1 }, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_1", "type": "security-rule" }PKLpSSPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": [ "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "source.ip:* or destination.ip:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip" ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": [ "OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match" ], "threat_filters": [ { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.category", "negate": false, "params": { "query": "threat" }, "type": "phrase" }, "query": { "match_phrase": { "event.category": "threat" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.kind", "negate": false, "params": { "query": "enrichment" }, "type": "phrase" }, "query": { "match_phrase": { "event.kind": "enrichment" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.type", "negate": false, "params": { "query": "indicator" }, "type": "phrase" }, "query": { "match_phrase": { "event.type": "indicator" } } } ], "threat_index": [ "filebeat-*", "logs-ti_*" ], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [ { "entries": [ { "field": "source.ip", "type": "mapping", "value": "threat.indicator.ip" } ] }, { "entries": [ { "field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip" } ] } ], "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 2 }, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_2", "type": "security-rule" }PKO3v''PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": [ "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "source.ip:* or destination.ip:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip" ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": [ "OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match" ], "threat_filters": [ { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.category", "negate": false, "params": { "query": "threat" }, "type": "phrase" }, "query": { "match_phrase": { "event.category": "threat" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.kind", "negate": false, "params": { "query": "enrichment" }, "type": "phrase" }, "query": { "match_phrase": { "event.kind": "enrichment" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.type", "negate": false, "params": { "query": "indicator" }, "type": "phrase" }, "query": { "match_phrase": { "event.type": "indicator" } } } ], "threat_index": [ "filebeat-*", "logs-ti_*" ], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [ { "entries": [ { "field": "source.ip", "type": "mapping", "value": "threat.indicator.ip" } ] }, { "entries": [ { "field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip" } ] } ], "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 3 }, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_3", "type": "security-rule" }PK),,PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104", "type": "security-rule" }PK.{ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105", "type": "security-rule" }PKJ;;PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106", "type": "security-rule" }PK&AffPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Austin Songer" ], "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", "false_positives": [ "Assignment of rights to a service account." ], "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" }, { "ecs": false, "name": "o365.audit.Parameters.AccessRights", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [ { "id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_101", "type": "security-rule" }PK''PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Austin Songer" ], "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", "false_positives": [ "Assignment of rights to a service account." ], "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" }, { "ecs": false, "name": "o365.audit.Parameters.AccessRights", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [ { "id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_102", "type": "security-rule" }PKBPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", "false_positives": [ "False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident." ], "from": "now-24h", "index": [ ".alerts-security.*" ], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Alerts Involving a User", "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "required_fields": [ { "ecs": false, "name": "signal.rule.name", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" }, { "ecs": true, "name": "user.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", "severity": "high", "tags": [ "Elastic", "Threat Detection", "Higher-Order Rules" ], "threshold": { "cardinality": [ { "field": "signal.rule.rule_id", "value": 5 } ], "field": [ "user.name" ], "value": 1 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 2 }, "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7_2", "type": "security-rule" }PKcKPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", "false_positives": [ "False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident." ], "from": "now-24h", "index": [ ".alerts-security.*" ], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Alerts Involving a User", "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "required_fields": [ { "ecs": false, "name": "signal.rule.name", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" }, { "ecs": true, "name": "user.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", "severity": "high", "tags": [ "Use Case: Threat Detection", "Rule Type: Higher-Order Rule" ], "threshold": { "cardinality": [ { "field": "signal.rule.rule_id", "value": 5 } ], "field": [ "user.name" ], "value": 1 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 3 }, "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7_3", "type": "security-rule" }PKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": [ "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping\n", "references": [ "https://en.wikipedia.org/wiki/Nmap" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_103", "type": "security-rule" }PKhS9 PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": [ "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping\n", "references": [ "https://en.wikipedia.org/wiki/Nmap" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_104", "type": "security-rule" }PK/~ # # PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": [ "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"nping\"\n", "references": [ "https://en.wikipedia.org/wiki/Nmap" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_105", "type": "security-rule" }PKms0 PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [ { "id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/" }, { "id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/" } ] } ] } ], "type": "eql", "version": 104 }, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104", "type": "security-rule" }PK{þ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [ { "id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/" }, { "id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/" } ] } ] } ], "type": "eql", "version": 105 }, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [ { "id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/" }, { "id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/" } ] } ] } ], "type": "eql", "version": 106 }, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106", "type": "security-rule" }PK[2 ! !PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", "false_positives": [ "Benign files can trigger signatures in the built-in virus protection" ], "from": "now-30m", "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" ], "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_101", "type": "security-rule" }PKH H PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", "false_positives": [ "Benign files can trigger signatures in the built-in virus protection" ], "from": "now-30m", "index": [ "filebeat-*", "logs-o365*" ], "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" ], "related_integrations": [ { "package": "o365", "version": "^1.3.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_102", "type": "security-rule" }PKo   PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", "false_positives": [ "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." ], "index": [ "filebeat-*", "logs-gcp*" ], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Key Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" ], "related_integrations": [ { "integration": "audit", "package": "gcp", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103", "type": "security-rule" }PK'6+% % PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", "false_positives": [ "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." ], "index": [ "filebeat-*", "logs-gcp*" ], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Key Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" ], "related_integrations": [ { "integration": "audit", "package": "gcp", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104", "type": "security-rule" }PK礻( ( PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [ { "id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/" } ] } ] } ], "type": "eql", "version": 102 }, "id": "0e79980b-4250-4a50-a509-69294c14e84b_102", "type": "security-rule" }PK&R R PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [ { "id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/" } ] } ] } ], "type": "eql", "version": 103 }, "id": "0e79980b-4250-4a50-a509-69294c14e84b_103", "type": "security-rule" }PK }:b"b"PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [ { "id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/" } ] } ] } ], "type": "eql", "version": 104 }, "id": "0e79980b-4250-4a50-a509-69294c14e84b_104", "type": "security-rule" }PK'Px"x"PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.entity_id", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [ { "id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/" } ] } ] } ], "type": "eql", "version": 105 }, "id": "0e79980b-4250-4a50-a509-69294c14e84b_105", "type": "security-rule" }PKx;ȣ""PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd, however through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "auditbeat-*" ], "language": "eql", "license": "Elastic License v2", "name": "RC Script Creation", "note": "## Triage and analysis\n### Investigating RC script creation\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. The rc.local file has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. There might still be users that use rc.local in a benign matter, so investigation to see whether the file is malicious is vital. The first file to check can be found here:\n- /etc/rc.local\n\nThis file may contain a path to an executable, script or a command. Additionally, the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator` is used to convert rc.local into rc-local.service. The service and wants files can be found in the following directories:\n- /lib/systemd/system/rc-local.service\n- /run/systemd/generator/multi-user.target.wants/rc-local.service\n\nIn case the file is not present here, the `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. Make sure to investigate all files mentioned above, and files that these scripts may link to establish whether the alert is malicious or benign behavior.\n\n### Investigating RC script execution\nThe detection rule queries for the creation of these files, but manual analysis is required to check for rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. The following command can be used to check for the execution of this service:\n\n`sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"`\n\nIf logging is found, analyze it, and chances are that the contents of the rc.local file have been executed. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/rc.local files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by user.id, host.id with maxspan=15s\n[file where host.os.type == \"linux\" and \n event.type == \"creation\" and\n file.path == \"/etc/rc.local\"]\n[process where host.os.type == \"linux\" and \n event.type == \"start\" and\n process.name == \"chmod\" and\n process.args == \"+x\" and process.args == \"/etc/rc.local\"]\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [ { "id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/" } ] } ] } ], "type": "eql", "version": 1 }, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_1", "type": "security-rule" }PKbP ~~PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "auditbeat-*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": [ "host.id", "process.executable" ], "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not file.extension : \"swp\"\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [ { "id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/" } ] } ] } ], "type": "new_terms", "version": 103 }, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_103", "type": "security-rule" }PK~PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": [ "host.id", "process.executable" ], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not file.extension : \"swp\"\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [ { "id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/" } ] } ] } ], "type": "new_terms", "version": 104 }, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_104", "type": "security-rule" }PKCJ((PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": [ "host.id", "process.executable" ], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\"dockerd\" or \"yum\" or \"rpm\" or \"dpkg\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [ { "id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/" } ] } ] } ], "type": "new_terms", "version": 105 }, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_105", "type": "security-rule" }PK((PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": [ "host.id", "process.executable" ], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\"dockerd\" or \"docker\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [ { "id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/" } ] } ] } ], "type": "new_terms", "version": 106 }, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_106", "type": "security-rule" }PK%b:):)PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown" } ], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "threshold": { "cardinality": [ { "field": "winlog.event_data.TargetProcessId", "value": 2 } ], "field": [ "process.entity_id" ], "value": 2 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 103 }, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103", "type": "security-rule" }PKʕ`PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown" } ], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "threshold": { "cardinality": [ { "field": "winlog.event_data.TargetProcessId", "value": 2 } ], "field": [ "process.entity_id" ], "value": 2 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 104 }, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104", "type": "security-rule" }PK1PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword" } ], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "threshold": { "cardinality": [ { "field": "winlog.event_data.TargetProcessId", "value": 2 } ], "field": [ "process.entity_id" ], "value": 2 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 105 }, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105", "type": "security-rule" }PKX8PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword" } ], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "threshold": { "cardinality": [ { "field": "winlog.event_data.TargetProcessId", "value": 2 } ], "field": [ "process.entity_id" ], "value": 2 }, "timestamp_override": "event.ingested", "type": "threshold", "version": 206 }, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206", "type": "security-rule" }PK tPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": [ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "severity": "high", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_102", "type": "security-rule" }PKX> > PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": [ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_103", "type": "security-rule" }PKUI I PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": [ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_104", "type": "security-rule" }PKjIڅt t PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": [ "Legitimate WebProxy Settings Modification" ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": [ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "severity": "medium", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Credential Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102", "type": "security-rule" }PKec c PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": [ "Legitimate WebProxy Settings Modification" ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": [ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103", "type": "security-rule" }PKWn n PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": [ "Legitimate WebProxy Settings Modification" ], "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": [ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104", "type": "security-rule" }PK!|ܹ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", "false_positives": [ "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." ], "index": [ "packetbeat-*", "filebeat-*" ], "language": "kuery", "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", "query": "event.category:(network or network_traffic) and destination.port:53 and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ], "required_fields": [ { "ecs": true, "name": "destination.port", "type": "long" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "network.bytes", "type": "long" }, { "ecs": false, "name": "type", "type": "keyword" } ], "risk_score": 47, "rule_id": "11013227-0301-4a8c-b150-4db924484475", "severity": "medium", "tags": [ "Elastic", "Network", "Threat Detection", "Lateral Movement", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "11013227-0301-4a8c-b150-4db924484475_103", "type": "security-rule" }PK,9zzPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", "false_positives": [ "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." ], "index": [ "packetbeat-*", "logs-network_traffic.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", "query": "event.dataset: network_traffic.dns and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ], "related_integrations": [ { "package": "network_traffic", "version": "^1.1.0" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "network.bytes", "type": "long" }, { "ecs": false, "name": "type", "type": "keyword" } ], "risk_score": 47, "rule_id": "11013227-0301-4a8c-b150-4db924484475", "severity": "medium", "tags": [ "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Use Case: Vulnerability" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "11013227-0301-4a8c-b150-4db924484475_104", "type": "security-rule" }PK8G  PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_103", "type": "security-rule" }PKEssPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_104", "type": "security-rule" }PK(PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_105", "type": "security-rule" }PKePKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [ { "id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104", "type": "security-rule" }PKo3*!*!PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [ { "id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105", "type": "security-rule" }PK1,%,%PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [ { "id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106", "type": "security-rule" }PK>_AO%O%PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.args", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [ { "id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107", "type": "security-rule" }PK7*z%z%PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Austin Songer" ], "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", "false_positives": [ "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "119c8877-8613-416d-a98a-96b6664ee73a_102", "type": "security-rule" }PKo{ { PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Austin Songer" ], "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", "false_positives": [ "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "119c8877-8613-416d-a98a-96b6664ee73a_103", "type": "security-rule" }PK@r] ] PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "powershell.file.script_block_text", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "PowerShell" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [ { "id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/" } ] }, { "id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 4 }, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_4", "type": "security-rule" }PKؖPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "references": [ "https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "file.directory", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "powershell.file.script_block_text", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "PowerShell" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [ { "id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/" } ] }, { "id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 5 }, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_5", "type": "security-rule" }PK_ ͩPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "references": [ "https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "file.directory", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "powershell.file.script_block_text", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [ { "id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/" } ] }, { "id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 6 }, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_6", "type": "security-rule" }PKOC|PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": [ "https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "file.directory", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": false, "name": "powershell.file.script_block_text", "type": "unknown" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [ { "id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/" } ] }, { "id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 7 }, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_7", "type": "security-rule" }PKs4PPPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": [ "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n )\n", "references": [ "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, "technique": [ { "id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104", "type": "security-rule" }PKj ~~PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": [ "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": [ "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.subject_name", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, "technique": [ { "id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105", "type": "security-rule" }PKYPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": [ "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": [ "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.subject_name", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, "technique": [ { "id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106", "type": "security-rule" }PKGd7PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": [ "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": [ "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.subject_name", "type": "keyword" }, { "ecs": true, "name": "process.code_signature.trusted", "type": "boolean" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, "technique": [ { "id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107", "type": "security-rule" }PKʘA,,PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Austin Songer" ], "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "false_positives": [ "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "12051077-0124-4394-9522-8f4f4db1d674_102", "type": "security-rule" }PKV)PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic", "Austin Songer" ], "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "false_positives": [ "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "12051077-0124-4394-9522-8f4f4db1d674_103", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess :\n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and\n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\system32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\system32\\\\wininit.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\n \"?:\\\\Windows\\\\system32\\\\MRT.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\",\n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\",\n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and\n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\")\n", "references": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword" } ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_105", "type": "security-rule" }PKd  PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", "references": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown" } ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 2 }, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_2", "type": "security-rule" }PKe21PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", "references": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown" } ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 3 }, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_3", "type": "security-rule" }PKӀɀPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", "references": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" ], "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword" }, { "ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword" } ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [ { "id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 4 }, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_4", "type": "security-rule" }PKdGPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", "false_positives": [ "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." ], "index": [ "logs-kubernetes.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Self-Subject Review", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", "references": [ "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" ], "related_integrations": [ { "package": "kubernetes", "version": "^1.4.1" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.impersonatedUser.username", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.verb", "type": "unknown" } ], "risk_score": 47, "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", "Kubernetes", "Continuous Monitoring", "Discovery" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 201 }, "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_201", "type": "security-rule" }PK`e'PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", "false_positives": [ "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." ], "index": [ "logs-kubernetes.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Self-Subject Review", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", "references": [ "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" ], "related_integrations": [ { "package": "kubernetes", "version": "^1.4.1" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.impersonatedUser.username", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.verb", "type": "unknown" } ], "risk_score": 47, "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Data Source: Kubernetes", "Tactic: Discovery" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, "technique": [ { "id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 202 }, "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_202", "type": "security-rule" }PK DPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", "false_positives": [ "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" ], "index": [ "logs-kubernetes.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostNetwork", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": [ "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" ], "related_integrations": [ { "package": "kubernetes", "version": "^1.4.1" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.hostNetwork", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.verb", "type": "unknown" } ], "risk_score": 47, "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 201 }, "id": "12cbf709-69e8-4055-94f9-24314385c27e_201", "type": "security-rule" }PKKKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", "false_positives": [ "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" ], "index": [ "logs-kubernetes.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostNetwork", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": [ "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" ], "related_integrations": [ { "package": "kubernetes", "version": "^1.4.1" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.requestObject.spec.hostNetwork", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.verb", "type": "unknown" } ], "risk_score": 47, "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 202 }, "id": "12cbf709-69e8-4055-94f9-24314385c27e_202", "type": "security-rule" }PK'],,PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.", "from": "now-119m", "index": [ "logs-endpoint.events.*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "query": "process where event.type == \"start\" and \n (\n process.executable : \"?:\\\\Program.exe\" or \n process.executable regex \"\"\"(C:\\\\Program Files \\(x86\\)\\\\|C:\\\\Program Files\\\\)\\w+.exe\"\"\"\n )\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 21, "rule_id": "12de29d4-bbb0-4eef-b687-857e8a163870", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [ { "id": "T1574.009", "name": "Path Interception by Unquoted Path", "reference": "https://attack.mitre.org/techniques/T1574/009/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 1 }, "id": "12de29d4-bbb0-4eef-b687-857e8a163870_1", "type": "security-rule" }PKM~7O O PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.", "from": "now-119m", "index": [ "logs-endpoint.events.*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "query": "process where event.type == \"start\" and \n (\n process.executable : \"?:\\\\Program.exe\" or \n process.executable regex \"\"\"(C:\\\\Program Files \\(x86\\)\\\\|C:\\\\Program Files\\\\)\\w+.exe\"\"\"\n )\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" } ], "risk_score": 21, "rule_id": "12de29d4-bbb0-4eef-b687-857e8a163870", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [ { "id": "T1574.009", "name": "Path Interception by Unquoted Path", "reference": "https://attack.mitre.org/techniques/T1574/009/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 2 }, "id": "12de29d4-bbb0-4eef-b687-857e8a163870_2", "type": "security-rule" }PK2z z PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_104", "type": "security-rule" }PK44 PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_105", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.parent.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_106", "type": "security-rule" }PKm!@ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": [ "Legitimate scheduled jobs may be created during installation of new software." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 102 }, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_102", "type": "security-rule" }PK\ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": [ "Legitimate scheduled jobs may be created during installation of new software." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_103", "type": "security-rule" }PKlu PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": [ "Legitimate scheduled jobs may be created during installation of new software." ], "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" } ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_104", "type": "security-rule" }PKv? PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 75, "author": [ "Elastic" ], "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", "false_positives": [ "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning." ], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_user", "name": "Rare User Logon", "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "severity": "low", "tags": [ "Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/" }, { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "type": "machine_learning", "version": 102 }, "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_102", "type": "security-rule" }PK1ƁPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 75, "author": [ "Elastic" ], "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", "false_positives": [ "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning." ], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_user", "name": "Rare User Logon", "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "severity": "low", "tags": [ "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/" }, { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "type": "machine_learning", "version": 103 }, "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_103", "type": "security-rule" }PKHPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.jsonUTŢ e{ "attributes": { "anomaly_threshold": 75, "author": [ "Elastic" ], "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", "false_positives": [ "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning." ], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_user", "name": "Rare User Logon", "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [ { "package": "auditd_manager", "version": "^1.0.0" }, { "package": "endpoint", "version": "^8.2.0" }, { "package": "system", "version": "^1.6.4" } ], "risk_score": 21, "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "severity": "low", "tags": [ "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/" }, { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "type": "machine_learning", "version": 104 }, "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_104", "type": "security-rule" }PK9™==PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", "false_positives": [ "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure External Guest User Invitation", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" ], "related_integrations": [ { "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword" }, { "ecs": false, "name": "azure.auditlogs.properties.target_resources.*.display_name", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e_101", "type": "security-rule" }PKz PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", "false_positives": [ "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure External Guest User Invitation", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" ], "related_integrations": [ { "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword" }, { "ecs": false, "name": "azure.auditlogs.properties.target_resources.*.display_name", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e_102", "type": "security-rule" }PKSbPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": [ "auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "destination.port", "type": "long" }, { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "network.transport", "type": "keyword" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": [ "Elastic", "Host", "Network", "Threat Detection", "Initial Access", "Host" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 100 }, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_100", "type": "security-rule" }PK22UGGPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": [ "packetbeat-*", "logs-network_traffic.*" ], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], "related_integrations": [ { "package": "network_traffic", "version": "^1.1.0" } ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "destination.port", "type": "long" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "network.transport", "type": "keyword" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": [ "Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_101", "type": "security-rule" }PK.[PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": [ "packetbeat-*", "logs-network_traffic.*" ], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], "related_integrations": [ { "package": "network_traffic", "version": "^1.1.0" } ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "destination.port", "type": "long" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "network.transport", "type": "keyword" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": [ "Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_102", "type": "security-rule" }PKK PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "building_block_type": "default", "description": "Identifies the modification of the Microsoft Office \"Office Test\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.", "from": "now-119m", "index": [ "logs-endpoint.events.*" ], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Office Test Registry Persistence", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path : \"*\\\\Software\\\\Microsoft\\\\Office Test\\\\Special\\\\Perf\\\\*\"\n", "references": [ "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.path", "type": "keyword" } ], "risk_score": 21, "rule_id": "14dab405-5dd9-450c-8106-72951af2391f", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [ { "id": "T1137.002", "name": "Office Test", "reference": "https://attack.mitre.org/techniques/T1137/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 1 }, "id": "14dab405-5dd9-450c-8106-72951af2391f_1", "type": "security-rule" }PK PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", "false_positives": [ "An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh" ], "index": [ "logs-kubernetes.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes User Exec into Pod", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", "references": [ "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" ], "related_integrations": [ { "package": "kubernetes", "version": "^1.4.1" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.subresource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.verb", "type": "unknown" } ], "risk_score": 47, "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", "Kubernetes", "Continuous Monitoring", "Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 201 }, "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce_201", "type": "security-rule" }PK=PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", "false_positives": [ "An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh" ], "index": [ "logs-kubernetes.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes User Exec into Pod", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", "references": [ "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" ], "related_integrations": [ { "package": "kubernetes", "version": "^1.4.1" } ], "required_fields": [ { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.objectRef.subresource", "type": "unknown" }, { "ecs": false, "name": "kubernetes.audit.verb", "type": "unknown" } ], "risk_score": 47, "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Data Source: Kubernetes", "Tactic: Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 202 }, "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce_202", "type": "security-rule" }PK* PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": [ "https://pentestlab.blog/2019/10/22/persistence-time-providers/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" } ], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [ { "id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 102 }, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102", "type": "security-rule" }PKSP P PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": [ "https://pentestlab.blog/2019/10/22/persistence-time-providers/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" } ], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [ { "id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103", "type": "security-rule" }PK\j-th h PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": [ "https://pentestlab.blog/2019/10/22/persistence-time-providers/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" } ], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [ { "id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104", "type": "security-rule" }PKAٓ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and\n(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "message", "type": "match_only_text" }, { "ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown" } ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/" } ] }, { "id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [ { "id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_105", "type": "security-rule" }PKM PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "message", "type": "match_only_text" }, { "ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown" } ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/" } ] }, { "id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [ { "id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 106 }, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_106", "type": "security-rule" }PKXAPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "message", "type": "match_only_text" }, { "ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown" } ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/" } ] }, { "id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [ { "id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 107 }, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_107", "type": "security-rule" }PKYYPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { "id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_104", "type": "security-rule" }PKii#PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { "id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_105", "type": "security-rule" }PKC""PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { "id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_106", "type": "security-rule" }PK)""PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { "id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_107", "type": "security-rule" }PKKm##PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 102 }, "id": "15dacaa0-5b90-466b-acab-63435a59701a_102", "type": "security-rule" }PKa PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 103 }, "id": "15dacaa0-5b90-466b-acab-63435a59701a_103", "type": "security-rule" }PK*Ϫ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.command_line", "type": "wildcard" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/" } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "15dacaa0-5b90-466b-acab-63435a59701a_104", "type": "security-rule" }PKfڒ} PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Created or Modified", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" ], "related_integrations": [ { "integration": "activitylogs", "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit" ], "timestamp_override": "event.ingested", "type": "query", "version": 101 }, "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f_101", "type": "security-rule" }PK && & PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", "from": "now-25m", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Created or Modified", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" ], "related_integrations": [ { "integration": "activitylogs", "package": "azure", "version": "^1.0.0" } ], "required_fields": [ { "ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence" ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f_102", "type": "security-rule" }PKJ{T  PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "File Creation Time Changed", "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"tmp\", \"~tmp\", \"xml\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\")\n", "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "user.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [ { "id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 2 }, "id": "166727ab-6768-4e26-b80c-948b228ffc06_2", "type": "security-rule" }PKPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-windows.*" ], "language": "eql", "license": "Elastic License v2", "name": "File Creation Time Changed", "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"tmp\", \"~tmp\", \"xml\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\")\n", "related_integrations": [ { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "user.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [ { "id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 3 }, "id": "166727ab-6768-4e26-b80c-948b228ffc06_3", "type": "security-rule" }PK2;''PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": [ "https://github.com/its-a-feature/bifrost" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" } ], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "severity": "high", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Credential Access", "Lateral Movement" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [ { "id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [ { "id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "16904215-2c95-4ac8-bf5c-12354e047192_102", "type": "security-rule" }PKڄ\\PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": [ "https://github.com/its-a-feature/bifrost" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" } ], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [ { "id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [ { "id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "16904215-2c95-4ac8-bf5c-12354e047192_103", "type": "security-rule" }PKz\ooPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": [ "https://github.com/its-a-feature/bifrost" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.category", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" } ], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "severity": "high", "tags": [ "Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [ { "id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [ { "id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "16904215-2c95-4ac8-bf5c-12354e047192_104", "type": "security-rule" }PKzJPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", "false_positives": [ "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [ { "id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 102 }, "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_102", "type": "security-rule" }PK-k::PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", "false_positives": [ "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "from": "now-60m", "index": [ "filebeat-*", "logs-aws*" ], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" ], "related_integrations": [ { "integration": "cloudtrail", "package": "aws", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" }, { "ecs": true, "name": "event.provider", "type": "keyword" } ], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [ { "id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_103", "type": "security-rule" }PKMA==PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n\n(\n (registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\\\\*\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL\\\\*\"\n ) and not \n (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\"))\n\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name : (\"OneDrive.exe\",\"OneDriveSetup.exe\",\"FileSyncConfig.exe\",\"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" }, { "ecs": true, "name": "user.domain", "type": "keyword" } ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [ { "id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "16a52c14-7883-47af-8745-9357803f0d4c_104", "type": "security-rule" }PK/Y ! !PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" }, { "ecs": true, "name": "user.domain", "type": "keyword" } ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [ { "id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "16a52c14-7883-47af-8745-9357803f0d4c_105", "type": "security-rule" }PK9S!S!PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" }, { "ecs": true, "name": "user.domain", "type": "keyword" } ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [ { "id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "16a52c14-7883-47af-8745-9357803f0d4c_106", "type": "security-rule" }PKҼv!v!PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.executable", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "registry.data.strings", "type": "wildcard" }, { "ecs": true, "name": "registry.path", "type": "keyword" }, { "ecs": true, "name": "user.domain", "type": "keyword" } ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [ { "id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "16a52c14-7883-47af-8745-9357803f0d4c_107", "type": "security-rule" }PKV!!PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": [ "Legitimate Administrative Activity" ], "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and\n(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "message", "type": "match_only_text" }, { "ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown" } ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [ { "id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/" } ] }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 105 }, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_105", "type": "security-rule" }PK9QPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": [ "Legitimate Administrative Activity" ], "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "message", "type": "match_only_text" }, { "ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown" } ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [ { "id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/" } ] }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 106 }, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_106", "type": "security-rule" }PK<)((PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": [ "Legitimate Administrative Activity" ], "index": [ "winlogbeat-*", "logs-system.*", "logs-windows.*" ], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse" ], "related_integrations": [ { "package": "system", "version": "^1.6.4" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.code", "type": "keyword" }, { "ecs": true, "name": "message", "type": "match_only_text" }, { "ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown" }, { "ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown" } ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [ { "id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/" } ] }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 107 }, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_107", "type": "security-rule" }PKPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": [ "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_user_name" ], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/" }, { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "type": "machine_learning", "version": 102 }, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_102", "type": "security-rule" }PKCEEPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": [ "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_user_name" ], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/" }, { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "type": "machine_learning", "version": 103 }, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_103", "type": "security-rule" }PK" u ffPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": [ "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_user_name" ], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [ { "id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/" }, { "id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/" } ] } ] } ], "type": "machine_learning", "version": 104 }, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_104", "type": "security-rule" }PKZgaaPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": [ "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_service" ], "name": "Unusual Windows Service", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/" } ] } ] } ], "type": "machine_learning", "version": 101 }, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_101", "type": "security-rule" }PK \W W PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": [ "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_service" ], "name": "Unusual Windows Service", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/" } ] } ] } ], "type": "machine_learning", "version": 102 }, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_102", "type": "security-rule" }PKx x PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": [ "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_service" ], "name": "Unusual Windows Service", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/" } ] } ] } ], "type": "machine_learning", "version": 103 }, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_103", "type": "security-rule" }PKo5s s PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": [ "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_script" ], "name": "Suspicious Powershell Script", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/" } ] } ] } ], "type": "machine_learning", "version": 102 }, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_102", "type": "security-rule" }PK2^ ^ PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": [ "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_script" ], "name": "Suspicious Powershell Script", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/" } ] } ] } ], "type": "machine_learning", "version": 103 }, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_103", "type": "security-rule" }PKTO  PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": [ "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_anomalous_script" ], "name": "Suspicious Powershell Script", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [ { "id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/" } ] } ] } ], "type": "machine_learning", "version": 104 }, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_104", "type": "security-rule" }PKXz z PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": [ "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_rare_user_runas_event" ], "name": "Unusual Windows User Privilege Elevation Activity", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [] } ], "type": "machine_learning", "version": 101 }, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_101", "type": "security-rule" }PK~$^^PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": [ "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_rare_user_runas_event" ], "name": "Unusual Windows User Privilege Elevation Activity", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [] } ], "type": "machine_learning", "version": 102 }, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_102", "type": "security-rule" }PKǬPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": [ "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_rare_user_runas_event" ], "name": "Unusual Windows User Privilege Elevation Activity", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [] } ], "type": "machine_learning", "version": 103 }, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_103", "type": "security-rule" }PKU2zzPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": [ "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_rare_user_type10_remote_login" ], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "severity": "low", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] } ], "type": "machine_learning", "version": 101 }, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_101", "type": "security-rule" }PK}M M PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": [ "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_rare_user_type10_remote_login" ], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] } ], "type": "machine_learning", "version": 102 }, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_102", "type": "security-rule" }PK/n n PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": [ "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": [ "v3_windows_rare_user_type10_remote_login" ], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "severity": "low", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" } ] } ], "type": "machine_learning", "version": 103 }, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_103", "type": "security-rule" }PKi i PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": [ "file.path", "process.name" ], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Privilege Escalation", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1 }, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_1", "type": "security-rule" }PK`NNPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": [ "file.path", "process.name" ], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2 }, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_2", "type": "security-rule" }PKnnPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": [ "file.path", "process.name" ], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \n \"elastic-agent\" or \"cinc-client\") or file.extension : (\"swp\" or \"swx\"))\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3 }, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_3", "type": "security-rule" }PKCaPKk3Wa security_detection_engine-8.10.3/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": [ "logs-endpoint.events.*", "endgame-*" ], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": [ "file.path", "process.name" ], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \n \"elastic-agent\" or \"cinc-client\") or file.extension : (\"swp\" or \"swx\"))\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ], "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "file.extension", "type": "keyword" }, { "ecs": true, "name": "file.path", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] }, { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [ { "id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4 }, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_4", "type": "security-rule" }PK$PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution - Short Program Name", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [ { "id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 104 }, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104", "type": "security-rule" }PKr`  PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution - Short Program Name", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [ { "id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 105 }, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105", "type": "security-rule" }PKDGt' ' PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [ { "id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 106 }, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106", "type": "security-rule" }PKD!PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", "from": "now-9m", "index": [ "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" ], "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" }, { "package": "windows", "version": "^1.5.0" } ], "required_fields": [ { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "process.pe.original_file_name", "type": "keyword" } ], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [ { "id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 107 }, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107", "type": "security-rule" }PK¨PPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": [ "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_server_domain", "name": "Unusual Network Destination Domain Name", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", "severity": "low", "tags": [ "Elastic", "Network", "Threat Detection", "ML", "Machine Learning" ], "type": "machine_learning", "version": 101 }, "id": "17e68559-b274-4948-ad0b-f8415bb31126_101", "type": "security-rule" }PKJPHGGPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": [ "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_server_domain", "name": "Unusual Network Destination Domain Name", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "risk_score": 21, "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", "severity": "low", "tags": [ "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning" ], "type": "machine_learning", "version": 102 }, "id": "17e68559-b274-4948-ad0b-f8415bb31126_102", "type": "security-rule" }PK(99PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_103.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": [ "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." ], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_server_domain", "name": "Unusual Network Destination Domain Name", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [ { "package": "auditd_manager", "version": "^1.0.0" }, { "package": "endpoint", "version": "^8.2.0" } ], "risk_score": 21, "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", "severity": "low", "tags": [ "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning" ], "type": "machine_learning", "version": 103 }, "id": "17e68559-b274-4948-ad0b-f8415bb31126_103", "type": "security-rule" }PKc1;;PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", "false_positives": [ "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "index": [ "filebeat-*", "logs-gcp*" ], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", "references": [ "https://cloud.google.com/logging/docs/export#how_sinks_work" ], "related_integrations": [ { "integration": "audit", "package": "gcp", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { "id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 103 }, "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61_103", "type": "security-rule" }PKdحX X PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", "false_positives": [ "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "index": [ "filebeat-*", "logs-gcp*" ], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", "references": [ "https://cloud.google.com/logging/docs/export#how_sinks_work" ], "related_integrations": [ { "integration": "audit", "package": "gcp", "version": "^2.0.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.dataset", "type": "keyword" }, { "ecs": true, "name": "event.outcome", "type": "keyword" } ], "risk_score": 21, "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Exfiltration" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { "id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/" } ] } ], "timestamp_override": "event.ingested", "type": "query", "version": 104 }, "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61_104", "type": "security-rule" }PKAnV V PKk3Wa security_detection_engine-8.10.3/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.jsonUTŢ e{ "attributes": { "author": [ "Elastic" ], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\") and user.id != \"0\"] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and event.type == \"creation\" and \n process.name == \"ld\" and user.id != \"0\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n user.id != \"0\"] by process.name\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"guid_change\") and event.type == \"change\" and \n user.id == \"0\"] by process.name\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "file.name", "type": "keyword" }, { "ecs": true, "name": "host.id", "type": "keyword" }, { "ecs": true, "name": "host.os.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" }, { "ecs": true, "name": "user.id", "type": "keyword" } ], "risk_score": 47, "rule_id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6", "severity": "medium", "tags": [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend" ], "threat": [ { "framework": "MITRE ATT\u0026CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/" } ] } ], "type": "eql", "version": 1 }, "id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1", "type": "security-rule" }PKccPKk3Wc security_detection_engine-8.10.3/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": [ "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." ], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide" ], "type": "machine_learning", "version": 104 }, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_104", "type": "security-rule" }PKwc""PKk3Wc security_detection_engine-8.10.3/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.jsonUTŢ e{ "attributes": { "anomaly_threshold": 50, "author": [ "Elastic" ], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": [ "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." ], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], "related_integrations": [], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide" ], "type": "machine_learning", "version": 105 }, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_105", "type": "security-rule" }PK4